search

Dumping Domain Controller Hashes Locally and Remotely

Dumping NTDS.dit with Active Directory users hashes

hashtag
No Credentials - ntdsutil

If you have no credentials, but you have access to the DC, it's possible to dump the ntds.dit using a lolbin ntdsutil.exe:

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

We can see that the ntds.dit and SYSTEM as well as SECURITY registry hives are being dumped to c:\temp:

We can then dump password hashes offline with impacket:

hashtag
No Credentials - diskshadow

On Windows Server 2008+, we can use diskshadow to grab the ntdis.dit.

Create a shadowdisk.exe script instructing to create a new shadow disk copy of the disk C (where ntds.dit is located in our case) and expose it as drive Z:\

...and now execute the following:

Below shows the ntds.dit got etracted and placed into our c:\exfil folder:

Inside interactive diskshadow utility, clean up the shadow volume:

hashtag
With Credentials

If you have credentials for an account that can log on to the DC, it's possible to dump hashes from NTDS.dit remotely via RPC protocol with impacket:

hashtag
References

Attack Methods for Gaining Domain Admin Rights in Active DirectoryActive Directory & Azure AD/Entra ID Securitychevron-right
https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/www.trustwave.comchevron-right
LogoDiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extractionbohopschevron-right
PreviousDumping and Cracking mscash - Cached Domain CredentialsNextDumping Domain Controller Hashes via wmic and Vssadmin Shadow Copy

Last updated