Skip to main content

NTDS Domain Controller

New Technologies Directory Services (NTDS) is a Database containing all Active Directory Data, including Objects, Attributes, Credentials, etc. The NTDS.DTS Data consists of Three Tables.

  • Schema Table: Contains types of Objects and their Relationships.
  • Link Table: Contains the Object's Attributes and their Values.
  • Data Type: Contains Users and Groups.

NTDS is located in C:\Windows\NTDS by Default, and it is Encrypted to prevent Data Extraction from a Target Machine. Accessing the NTDS.dit file from the Machine running is disallowed since the file is used by Active Directory and is Locked.

Note

Decrypting the NTDS file Requires a System Boot Key to attempt to Decrypt LSA Isolated Credentials, which is stored in the SECURITY File System. Therefore, we must also Dump the Security file containing all required files to Decrypt.


Local Dumping (No Credentials)

Required Privileges: Administrators

This is usually done if we have no Credentials available but we have Administrator Access to the Domain Controller. Therefore, we will be relying on Windows Utilities to Dump the NTDS file and Crack them Offline.

  • To Successfully Dump the content of the NTDS File we need the Following Files:
    • C:\Windows\NTDS\ntds.dit
    • C:\Windows\System32\config\SYSTEM
    • C:\Windows\System32\config\SECURITY

The following is a One-Liner PowerShell Command to dump the NTDS File using the Ntdsutil Tool in the C:\temp Directory. 

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full C:\temp' q q"

After that we can Transfer them to Our Machine and run Impacket secretsdump.py Script to extract the Hashes from the Dumped Memory File.

secretsdump.py -security path/to/SECURITY -system path/to/SYSTEM -ntds path/to/ntds.dit LOCAL

Remote Dumping (With Credentials)

Required Privileges: Administrators - Replicating Directory Changes
Requirements: NTLM Hash or Valid Credentials

Dump System and Domain Controller Hashes Remotely, which Requires Credentials, such as Passwords or NTLM Hashes. We also need Credentials for Users with Administrative Access to a Domain Controller or Special Permissions.

DC Sync

This Attack works when an Account (Special Account with Necessary Permissions) or AD Administrator Account is compromised that has the following AD Permissions.

  • Replicating Directory Changes
  • Replicating Directory Changes All
  • Replicating Directory Changes in Filtered Set

Performing Domain Replication, commonly referred to as DC Sync, or Domain Controller Sync.

:: [-just-dc] - Extract the NTDS Data.
secretsdump.py -just-dc DC.GREEN/<AD Administrator>@IP

:: Dump Only the NTLM Hashes
secretsdump.py -just-dc-ntlm DC.GREEN/<AD Administrator>@IP

Once we obtained Hashes, we can either use the Hash for a Specific User to Impersonate, or Crack the Hash using hashcat. 

hashcat -m 1000 <NTLM Hashes> <Wordlist> --force