In previous projects, I have been tasked with auditing Active Directory passwords as well as compromising an Active Directory Domain Controller. In both instances, I used the following methods to extract the ntds.dit file for use on my local system in order to extract and crack the hashes.
Whether obtaining a shell or logging into the Domain Controller (DC), I used the DCs vssadmin application to create a shadow file.
Next, I created a directory (on the DC) of C:\extract and then copied the ntds.dit file from the shadow copy to the newly created directory.
I then copied the SYSTEM file from the shadow copy using the reg SAVE command. In a future step, I needed this key in order to extract the hashes.
I had some issues when I was originally trying to extract the SYSTEM file. In this instance, I was using an exploited shell. So, I killed the session and then established a new shell to get around the error.
After downloading the C:\extract directory to my attacking system, I did a little housekeeping by deleting the C:\extract directory on the DC as well as the shadow copy.
With the files transferred to my local system, I downloaded and installed Impacket. Within Impacket, there was a Python script that I used in order to extract the hashes from the ntds.dit file.
Installing Impacket was easy when utilizing the setup.py within the extracted Impacket directory.
python setup.py install
After Impacket was installed, I used the secretsdump.py Python script to extract the hashes.
python /opt/impacket/examples/secretsdump.py -ntds ~/Extract/ntds.dit -system ~/Extract/SYSTEM -hashes lmhash:nthash LOCAL -outputfile ntlm-extract
· -ntds: location and name of the ntds.dit file
· -system: location and name of the SYSTEM hive
· -hashes lmnhash:nthash: NTLM hash
· LOCAL: parse files on the local system
· -outputfile: location and name of the output file. Extensions are automatically added based on content extracted
Note: The size of the ntds.dit file will determine the amount of time it will take to extract the hashes (from a few minutes to a few days).
Next, I used Hashcat to crack the hashes. However, I wanted to add the user information to the cracked hash and cleartext password. To accomplish this, I used two different methods with Hashcat.
The first method cracked the hash and stored the cracked hash to a file named cracked.out as well as to a pot file of hashcat.pot. Since I was dealing with a larger ntds.dit file, I wanted to have one master file with the hashes as well as using a different file names when executing Hashcat with different rules and wordlists.
hashcat -m 1000 -w 3 -a 0 -p : — session=all — username -o ~/Extract/cracked.out — outfile-format=3 ~/Extract/ntlm-extact.ntds ~/rockyou.txt — potfile-path ~/Extract/hashcat.pot
· -m 1000: NTLM hash
· -w 3: workload with tuned profile
· -a 0: straight attack mode
· -p:: separator character for out file
· — session=all: all sessions
· — username: ignore usernames in hash file
· -o: outfile location and name
· — outfile-format=3: out file format of “hash[:salt]:plain”
· — potfile-path: pot file location and name
The second method used the pot file of cracked hashes against the contents of the extracted ntds file and output the data to a new outfile.
hashcat -m 1000 -w 3 -a 0 -p : — session=all — username — show -o ~/Extract/cracked_1.out — outfile-format=3 ~/Extract/ ntlm-extact.ntds — potfile-path ~/Extract/cracked.out
· — show: show cracked password only
In closing, I know there are other automated tools that would help expedite some of these processes. However, I wanted to start off with learning the basics prior to exploring different methods and applications for extracting and cracking NTDS.dit.
This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.
Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.
Information within this article is “as is”, without warranty of any sort.