Dumping the NTDS.dit

What is NTDS.dit :

it is a databserd that used to store thall the user ingormaiton

  • User Information

  • Group Information

  • Security Descriptors

  • and oh yeah, Password Hashes

Step-by-Step Guide to Extract NTDS.DIT Data

Step 1: Using secretsdump.py to Extract NTDS.dit Data

Use the secretsdump.py tool from the Impacket suite to dump the NTDS.dit database remotely.

secretsdump.py MARVEL.local/hawkeye:'Password1@'@192.168.92.129

  • MARVEL.local: The domain name of the target AD environment.

  • hawkeye: The username of the domain user we’re authenticating as.

  • Password1@: The password for the user account.

  • 192.168.92.129: The IP address of the domain controller.

This command retrieves:

  • Usernames.

  • NTLM password hashes.

  • Data from the NTDS.dit file.

This depicts how an attacker with valid credentials can extract sensitive information remotely.

Step 2: Dumping Only NTLM Hashes

If you are only interested in NTLM password hashes, you can use the -just-dc-ntlm flag to limit the output.

secretsdump.py MARVEL.local/hawkeye:'Password1@'@192.168.92.129 -just-dc-ntlm

We obtain the NTLM hashes of all accounts in the domain. These hashes can now be used for offline password cracking.

Step 3: Saving the Extracted Hashes

To organize the extracted hashes for cracking, we save them in a text file.

mousepad ntds.txt

The NTLM hashes are now stored in a file named ntds.txt for further processing.

Step 4: Cracking NTLM Hashes with Hashcat

hashcat -m 1000 ntds.txt rockyou.txt

  • -m 1000: Specifies the hash type (1000 = NTLM).

Hashcat compares each word in the wordlist against the NTLM hashes to find a match, revealing the plaintext passwords.

We retrieve the plaintext passwords for user accounts whose hashes match entries in the wordlist.

Step 5: Viewing Cracked Passwords

After cracking the hashes, we can list all cracked passwords to analyze them further.

hashcat -m 1000 ntds.txt rockyou.txt --show

The cracked passwords are displayed in a clear format, showing the hash, and the corresponding plaintext password.

Step 6: Organizing Cracked Credentials

To simplify analysis and usage, we prepare a list of the cracked credentials.

This organized list makes it easier to identify which accounts have weak passwords and prioritize further exploitation.

How Attackers Exploit This:

  • Attackers can use the dumped credentials to authenticate as legitimate users, bypassing security controls.

  • Cracked hashes enable privilege escalation, allowing attackers to target sensitive resources.

Mitigations

  1. Strong Password Policies: Enforce complex passwords that are resistant to dictionary attacks.

  2. Limit Account Privileges: Use the principle of least privilege to minimize the impact of compromised accounts.

  3. Enable Logging and Monitoring: Detect and respond to suspicious activity, such as unexpected NTDS.dit access.

  4. Implement Multi-Factor Authentication (MFA): Even with stolen credentials, MFA adds a layer of security.

PreviousWe've Compromised the DomainNextGolden Ticket Attacks

Last updated