NTDS.dit & vshadow
The Ntds.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.
The important NTDS.dit file will be located in: %SystemRoom%/NTDS/ntds.dit This file is a database Extensible Storage Engine (ESE) and is "officially" composed by 3 tables:
Windows uses Ntdsa.dll to interact with that file and its used by lsass.exe. Then, part of the NTDS.dit file could be located inside the lsass memory (you can find the lastet accessed data probably because of the performance impruve by using a cache).
Decrypting the hashes inside NTDS.dit
You will need the following files to extract the ntds :
NTDS.dit file
SYSTEM hive (C:\Windows\System32\SYSTEM)
Usually you can find the ntds in two locations : systemroot\NTDS\ntds.dit and systemroot\System32\ntds.dit.
systemroot\NTDS\ntds.ditstores the database that is in use on a domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data).systemroot\System32\ntds.ditis the distribution copy of the default directory that is used when you install Active Directory on a server running Windows Server 2003 or later to create a domain controller. Because this file is available, you can run the Active Directory Installation Wizard without having to use the server operating system CD.
However you can change the location to a custom one, you will need to query the registry to get the current location.
The hash is cyphered 3 times:
PEK have the same value in every domain controller, but it is cyphered inside the NTDS.dit file using the BOOTKEY of the SYSTEM file of the domain controller (is different between domain controllers). This is why to get the credentials from the NTDS.dit file you need the files NTDS.dit and SYSTEM (C:\Windows\System32\config\SYSTEM).
Copying NTDS.dit using Ntdsutil
Available since Windows Server 2008.
or run ntdsutil interactivly:
Vshadow
You could also use the volume shadow copy trick to copy the ntds.dit file. Remember that you will also need a copy of the SYSTEM file (again, dump it from the registry or use the volume shadow copy trick).
You can also use the Nishang script, available at : https://github.com/samratashok/nishang
Using vssadmin
Using DiskShadow (a Windows signed binary)
Using esentutl.exe
Copy/extract a locked file such as the AD Database
Extracting hashes from NTDS.dit
Once you have obtained the files NTDS.dit and SYSTEM you can use tools like secretsdump.py to extract the hashes:
remote NTDS.dit Dump
You can also extract them automatically using a valid domain admin user:
-pwd-last-set: Shows pwdLastSet attribute for each NTDS.DIT account.-user-status: Display whether or not the user is disabled.
Metasploit & Mimikatz Modules
Finally, you can also use the metasploit module:
PowerSploit module
CrackMapExec module
Mimikatz
Dumps credential data in an Active Directory domain when run on a Domain Controller.
This requires administrator access with debug or Local SYSTEM rights.
Crack NTLM hashes with hashcat
Useful when you want to have the clear text password or when you need to make stats about weak passwords.
Recommended wordlists:
Have I Been Powned (https://hashes.org/download.php?hashlistId=7290&type=hfound)
Collection #1 (passwords from Data Breaches, might be illegal to possess)
If the password is not a confidential data (challenges/ctf), you can use online "cracker" like :
Last updated