Security Notes
  • Whoami
  • Pentesting
    • WEP-Pen
      • Reconnaissance
      • Enumeration
      • OWSAP TOP 10
        • Injection
          • Cross Site Scripting
            • Cross Site Scripting
            • Exploitation
            • Protections
          • SQL Injection
            • SQL Injection Overview
          • NoSQL Injection
          • CRLF Injection
          • XML Injection
        • Broken Access Control
          • Path Traversal
          • Sensitive Cookie with Improper SameSite Attribute
          • Link Following
          • Incorrect Default Permissions
          • Information disclosure
          • CSRF
            • csrf checklist
          • 403 bypass
          • Exposure of WSDL File Containing Sensitive Information
          • bussiness logic checklist
          • 2FA bypass checklist
          • admin panal checklist
          • idor checklist
          • Authentication checklist
          • reset_password_checklist
          • ATO
        • Cryptographic Failures
          • Cryptographic Failure
          • Weak Encoding for Password
          • Improper Following of a Certificate's Chain of Trust
            • Understanding Digital Certificates : Self-Signed and CA-Signed Certificate **
            • Transport Layer Security (TLS) and SSL **
          • Clear Text Transmission Of Sensitive Data
            • SSLStripping **
        • Insecure Design
        • Security Misconfiguration
          • CORS Miscofigration
          • Mail Server Misconfiguration
        • Vulnerable and Outdated Components
          • Using Components with Known Vulnerabilities
        • Identification and Authentication Failures
          • JWT Hacking
          • SAML Authentication bypass
        • Software and Data Integrity Failures
          • mass assignment
          • PostMessage Vulnerabilities
            • PostMessage Vulnerabilities
            • Blocking main page to steal postmessage
            • Bypassing SOP with Iframes - part 1
            • Bypassing SOP with Iframes - part 2
            • Steal postmessage modifying iframe location
        • Security Logging and Monitoring Failures
        • Server-Side Request Forgery (SSRF)
          • SSRF
      • Checklists
        • aem misconfiguration
        • exif_geo
        • xss
        • Session Management
        • Authorization
        • cookie
        • Django
        • Symfony
        • json
        • bypass rate limit
        • Rce
        • Register Page
      • eWPTXv2 Preparation
        • Encoding & Filtering
        • Evasion Basics
        • Cross-site scripting (XSS)
        • XSS Filter Evasion
        • Cross-site request forgery (CSRF
        • HTML5
      • API-Pen
        • API Discovry
        • Reverse Engineering API Documentation
        • Excessive Data Exposure
        • Vulnerability Scanning
        • API Authentication Attacks
          • Classic Authentication Attacks
          • API Token Attacks
        • API Authorization Attacks
          • Broken Object Level Authorization (BOLA)
          • Broken Function Level Authorization
        • Improper Assets Management
        • Mass Assignment
        • SSRF
        • Injection Attacks in API
        • Evasive Maneuvers
        • GraphQL Vulnerabilities
    • NET-Pen
      • Active Directory Pentesting
        • Active Directory Components
        • Initial Attack Vectors
          • LLMNR Poisoning
          • SMB Relay Attacks
          • IPv6 Attacks ( IPv6 DNS Takeover )
          • Printer Hacking
          • Methodology
          • Some Other Attacks
            • Zerologon (CVE-2020-1472)
            • PrintNightmare (CVE-2021-1675)
        • Post-Compromise Attacks
          • Pass Attacks
          • Kerberoasting Attack
          • Token Impersonation Attack
          • LNK File Attack
          • GPP / cPassword Attacks
          • Mimikatz
          • Methodology
        • We've Compromised the Domain
          • Dumping the NTDS.dit
          • Golden Ticket Attacks
          • Methodology
        • Case Study
        • Password Attacks
      • Attack Vectors by Port
        • FTP 21
        • SSH 22
        • Telnet 23 - 2323
        • SMTP 25
        • DNS 53
        • Kerberos 88
        • POP 110-995
        • RPC 111
        • Ident 113
        • NNTP 119
        • NetBIOS 137-138
        • SMB / Samba 135-139, 445
        • MSRPC 135
        • SNMP 161
        • LDAP 389,636
        • Modbus 502
        • OpenSSL 1337
        • Ms-SQL 1433
        • Oracle Listener 1521 1522 1529
        • NFS 2049
        • MySql 3306
        • RDP 3389
        • ADB Android Debug Bridge 5555
        • WinRM 5985 5986
        • VNC 5800 5900
        • Redis 6379
        • Unreal IRC 6667
        • Tomcat 8080
        • MongoDB 27017
        • http 80
      • Network basics
      • Information Gathering
      • Privilege Escalation
        • Windows Privilege Escalation
        • Linux Privilege Escalation
    • write-ups
      • How i found a Privilege Escalation via Impersonation Features feature
      • How I was able to discover ATO Via IDOR vulnerability
      • Easy full Account Takeover via Facebook OAuth Misconfiguration
Powered by GitBook
On this page
  • Step 6: Organizing Cracked Credentials
  • How Attackers Exploit This:
  • Mitigations
  1. Pentesting
  2. NET-Pen
  3. Active Directory Pentesting
  4. We've Compromised the Domain

Dumping the NTDS.dit

What is NTDS.dit :

it is a databserd that used to store thall the user ingormaiton

  • User Information

  • Group Information

  • Security Descriptors

  • and oh yeah, Password Hashes

Step-by-Step Guide to Extract NTDS.DIT Data

Step 1: Using secretsdump.py to Extract NTDS.dit Data

Use the secretsdump.py tool from the Impacket suite to dump the NTDS.dit database remotely.

secretsdump.py MARVEL.local/hawkeye:'Password1@'@192.168.92.129

  • MARVEL.local: The domain name of the target AD environment.

  • hawkeye: The username of the domain user we’re authenticating as.

  • Password1@: The password for the user account.

  • 192.168.92.129: The IP address of the domain controller.

This command retrieves:

  • Usernames.

  • NTLM password hashes.

  • Data from the NTDS.dit file.

This depicts how an attacker with valid credentials can extract sensitive information remotely.

Step 2: Dumping Only NTLM Hashes

If you are only interested in NTLM password hashes, you can use the -just-dc-ntlm flag to limit the output.

secretsdump.py MARVEL.local/hawkeye:'Password1@'@192.168.92.129 -just-dc-ntlm

We obtain the NTLM hashes of all accounts in the domain. These hashes can now be used for offline password cracking.

Step 3: Saving the Extracted Hashes

To organize the extracted hashes for cracking, we save them in a text file.

mousepad ntds.txt

The NTLM hashes are now stored in a file named ntds.txt for further processing.

Step 4: Cracking NTLM Hashes with Hashcat

hashcat -m 1000 ntds.txt rockyou.txt

  • -m 1000: Specifies the hash type (1000 = NTLM).

Hashcat compares each word in the wordlist against the NTLM hashes to find a match, revealing the plaintext passwords.

We retrieve the plaintext passwords for user accounts whose hashes match entries in the wordlist.

Step 5: Viewing Cracked Passwords

After cracking the hashes, we can list all cracked passwords to analyze them further.

hashcat -m 1000 ntds.txt rockyou.txt --show

The cracked passwords are displayed in a clear format, showing the hash, and the corresponding plaintext password.

Step 6: Organizing Cracked Credentials

To simplify analysis and usage, we prepare a list of the cracked credentials.

This organized list makes it easier to identify which accounts have weak passwords and prioritize further exploitation.

How Attackers Exploit This:

  • Attackers can use the dumped credentials to authenticate as legitimate users, bypassing security controls.

  • Cracked hashes enable privilege escalation, allowing attackers to target sensitive resources.

Mitigations

  1. Strong Password Policies: Enforce complex passwords that are resistant to dictionary attacks.

  2. Limit Account Privileges: Use the principle of least privilege to minimize the impact of compromised accounts.

  3. Enable Logging and Monitoring: Detect and respond to suspicious activity, such as unexpected NTDS.dit access.

  4. Implement Multi-Factor Authentication (MFA): Even with stolen credentials, MFA adds a layer of security.

PreviousWe've Compromised the DomainNextGolden Ticket Attacks

Last updated 5 months ago

Using secretsdump.py to Extract NTDS.dit Data
Using secretsdump.py to Extract NTDS.dit Data
Dumping NTLM Hashes
Mousepad — ntds.txt
Cracking NTLM Hashes
Cracking NTLM Hashes