General
NTDS Domain Controller
New Technologies Directory Services (NTDS) is a database containing all Active Directory data, including objects, attributes, credentials, etc. The NTDS.DTS data consists of three tables as follows:
- Schema table: it contains types of objects and their relationships.
- Link table: it contains the object's attributes and their values.
- Data type: It contains users and groups.
NTDS is located inC:\Windows\NTDS
 by default, and it is encrypted to prevent data extraction from a target machine. Accessing the NTDS.dit file from the machine running is disallowed since the file is used by Active Directory and is locked. However, there are various ways to gain access to it.
It is important to note that decrypting the NTDS file requires a system Boot Key to attempt to decrypt LSA Isolated credentials, which is stored in the SECURITY
 file system. Therefore, we must also dump the security file containing all required files to decrypt.
Commands
Ntdsutil
Ntdsutil is a Windows utility to used manage and maintain Active Directory configurations. It can be used in various scenarios such asÂ
- Restore deleted objects in Active Directory.
- Perform maintenance for the AD database.
- Active Directory snapshot management.
- Set Directory Services Restore Mode (DSRM) administrator passwords.
For more information about Ntdsutil, you may visit the Microsoft documentation page (opens in a new tab).
-
Local Dumping (No Credentials) This is usually done if you have no credentials available but have administrator access to the domain controller. Therefore, we will be relying on Windows utilities to dump the NTDS file and crack them offline. As a requirement, first, we assume we have administrator access to a domain controller.Â
To successfully dump the content of the NTDS file we need the following files:
- C:\Windows\NTDS\ntds.dit
- C:\Windows\System32\config\SYSTEM
- C:\Windows\System32\config\SECURITY
The following is a one-liner PowerShell command to dump the NTDS file using the Ntdsutil tool in theÂ
C:\temp
 directory.Dumping the content of the NTDS file from the Victim Machine
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
Now, if we check theÂ
c:\temp
 directory, we see two folders: Active Directory and registry, which contain the three files we need. Transfer them to the AttackBox and run the secretsdump.py script to extract the hashes from the dumped memory file.Extract hashes from NTDS Locally
user@machine$ python3.9 /opt/impacket/examples/secretsdump.py -security path/to/SECURITY -system path/to/SYSTEM -ntds path/to/ntds.dit local
-
Remote Dumping (With Credentials) In the previous section, we discussed how to get hashes from memory with no credentials in hand. In this task, we will be showing how to dump a system and domain controller hashes remotely, which requires credentials, such as passwords or NTLM hashes. We also need credentials for users with administrative access to a domain controller or special permissions as discussed in the DC Sync section.
DC Sync
The DC Sync is a popular attack to perform within an Active Directory environment to dump credentials remotely. This attack works when an account (special account with necessary permissions) or AD admin account is compromised that has the following AD permissions:
-
Replicating Directory Changes
-
Replicating Directory Changes All
-
Replicating Directory Changes in Filtered Set
An adversary takes advantage of these configurations to perform domain replication, commonly referred to as "DC Sync", or Domain Controller Sync. For more information about the DC Sync attack, you can visit the THM Persisting AD (opens in a new tab) room (Task 2).
The Persisting AD room uses the Mimikatz tool to perform the DC Synchronisation attack. Let's demonstrate the attack using a different tool, such as the Impacket SecretsDump script.Â
Performing the DC Sync Attack
user@machine$ python3.9 /opt/impacket/examples/secretsdump.py -just-dc THM.red/<AD_Admin_User>@10.10.65.204 Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation Password: [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:[****REMOVED****]::: Guest:501:aad3b435b51404eeaad3b435b51404ee:[****REMOVED****]::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:[****REMOVED****]::: thm.red\thm:1114:aad3b435b51404eeaad3b435b51404ee:[****REMOVED****]:::
-
Let's explain the command a bit more.
- theÂ
-just-dc
 argument is for extracting the NTDS data. - theÂ
thm.red/AD_Admin_User
 is the authenticated domain user in the form of (domain/user).
Note if we are interested to dump only the NTLM hashes, then we can use the -just-dc-ntlm
 argument as follows,
The DC Sync Attack to Dump NTLM Hashes
user@machine$ python3.9 /opt/impacket/examples/secretsdump.py -just-dc-ntlm THM.red/<AD_Admin_User>@10.10.65.204
Once we obtained hashes, we can either use the hash for a specific user to impersonate him or crack the hash using Cracking tools, such hashcat
. We can use the hashcat -m 1000
 mode to crack the Windows NTLM hashes as follows:
Performing the DC Sync Attack
user@machine$ hashcat -m 1000 -a 0 /path/to/wordlist/such/as/rockyou.txt