Dumping Domain Controller Hashes Locally and Remotely
Dumping NTDS.dit with Active Directory users hashes
No Credentials - ntdsutil
If you have no credentials, but you have access to the DC, it's possible to dump the ntds.dit using a lolbin ntdsutil.exe:
We can see that the ntds.dit and SYSTEM as well as SECURITY registry hives are being dumped to c:\temp:
We can then dump password hashes offline with impacket:
No Credentials - diskshadow
On Windows Server 2008+, we can use diskshadow to grab the ntdis.dit.
Create a shadowdisk.exe script instructing to create a new shadow disk copy of the disk C (where ntds.dit is located in our case) and expose it as drive Z:\
...and now execute the following:
Below shows the ntds.dit got etracted and placed into our c:\exfil folder:
Inside interactive diskshadow utility, clean up the shadow volume:
With Credentials
If you have credentials for an account that can log on to the DC, it's possible to dump hashes from NTDS.dit remotely via RPC protocol with impacket:
References
Last updated