NTDS
The NTDS.dit file (NTDS) is a database which stores confidential Active Directory information such as usernames, objects, groups, and password hashes. Once the NTDS.dit file has been retrieved, an attacker can effectively impersonate any member of the domain. This file is stored on domain controllers, meaning that full domain compromise has to occur in order to retrieve it.
Exploitation
CrackMapExec and Impacket are the easiest ways to remotely dump the NTDS.dit after Domain Administrator credentials have been obtained:
Alternatively, an attacker can dump the NTDS.dit manually if they have a shell on a Domain Controller:
References
Last updated