Dumping the NTDS.dit

What is NTDS.dit :

it is a databserd that used to store thall the user ingormaiton

• User Information

• Group Information

• Security Descriptors

• and oh yeah, Password Hashes

Step-by-Step Guide to Extract NTDS.DIT Data

Step 1: Using secretsdump.py to Extract NTDS.dit Data

Use the secretsdump.py tool from the Impacket suite to dump the NTDS.dit database remotely.

secretsdump.py MARVEL.local/hawkeye:'Password1@'@192.168.92.129

• MARVEL.local: The domain name of the target AD environment.

• hawkeye: The username of the domain user we’re authenticating as.

• Password1@: The password for the user account.

• 192.168.92.129: The IP address of the domain controller.

This command retrieves:

• Usernames.

• NTLM password hashes.

• Data from the NTDS.dit file.

This depicts how an attacker with valid credentials can extract sensitive information remotely.

Using secretsdump.py to Extract NTDS.dit Data

Using secretsdump.py to Extract NTDS.dit Data

Step 2: Dumping Only NTLM Hashes

If you are only interested in NTLM password hashes, you can use the -just-dc-ntlm flag to limit the output.

secretsdump.py MARVEL.local/hawkeye:'Password1@'@192.168.92.129 -just-dc-ntlm

We obtain the NTLM hashes of all accounts in the domain. These hashes can now be used for offline password cracking.

Dumping NTLM Hashes

Step 3: Saving the Extracted Hashes

To organize the extracted hashes for cracking, we save them in a text file.

mousepad ntds.txt

The NTLM hashes are now stored in a file named ntds.txt for further processing.

Mousepad — ntds.txt

Step 4: Cracking NTLM Hashes with Hashcat

hashcat -m 1000 ntds.txt rockyou.txt

• -m 1000: Specifies the hash type (1000 = NTLM).

Hashcat compares each word in the wordlist against the NTLM hashes to find a match, revealing the plaintext passwords.

Cracking NTLM Hashes

Cracking NTLM Hashes

We retrieve the plaintext passwords for user accounts whose hashes match entries in the wordlist.

Step 5: Viewing Cracked Passwords

After cracking the hashes, we can list all cracked passwords to analyze them further.

hashcat -m 1000 ntds.txt rockyou.txt --show

The cracked passwords are displayed in a clear format, showing the hash, and the corresponding plaintext password.

Step 6: Organizing Cracked Credentials

To simplify analysis and usage, we prepare a list of the cracked credentials.

This organized list makes it easier to identify which accounts have weak passwords and prioritize further exploitation.

How Attackers Exploit This:

• Attackers can use the dumped credentials to authenticate as legitimate users, bypassing security controls.

• Cracked hashes enable privilege escalation, allowing attackers to target sensitive resources.

Mitigations

1. Strong Password Policies: Enforce complex passwords that are resistant to dictionary attacks.

2. Limit Account Privileges: Use the principle of least privilege to minimize the impact of compromised accounts.

3. Enable Logging and Monitoring: Detect and respond to suspicious activity, such as unexpected NTDS.dit access.

4. Implement Multi-Factor Authentication (MFA): Even with stolen credentials, MFA adds a layer of security.