NTDS.DIT Active Directory Passwords & Decryption

Windows Server 2008 Active Directory

We know local user accounts are stored in SAM file and we have previously demonstrated on PASS THE HASH article how to dump/extract use abuse these password equivalent hashes.

In this article we demonstrate/describe some of the attack techniques to gain access to a windows domain controller the techniques to copy NTDS.dit database using built-in tools “living off the land “ the use of WMI, VSSADMIN , PowerShell. A.KA Microsoft post exploitation framework  J

Active directory data is stored in the Ntds.dit ESE database file.  Two copies of Ntds.dit present in separate location on a given domain controller  %SystmRoot%\NTDS\ Ntds.dit  &  %SystemRoot%\System32\Ntds.dit .

These are exclusive locked file meaning they cannot be copied simply using click right and copy to the destination will not work as these files have in use with set of permissions  attribute on.

This of course doesn’t mean we can’t using Build-in tools VSSADMIN or PowerShell to make a copy of the Ntds.dit file locally and infiltrate to our attacking machine for closer offline analysis and password extraction. But of course we need to gain access to the domain controller with local administrative privilege or domain admin in order be able to copy the AD server crown jewels .

Without further ado let’s get to hacking into breaking windows 2008 active directory

Our attacker IP address is set to   

Our target is windows 2008 active directory installed

We already have an administrative account (Credential theft or MS14-068 Kerberos prive escalation

Windows Built-in tools – Welcome to VSSADMIN  .

VSSADMIN is essentially shadow volume copy feature since windows Vista that allows an administrator or “hackers” to take friendly snapshot backups files even when the files are currently in use J  J J  that’s how I feel when I login to a Domain controller…

You already figured out my next move – Yes I will use VSSADMIN built-in tool to copy NTDS.dit and SYSYEM file from the domain controller save it to the disk for remote exfiltration.  You may ask why we need SYSTEM file. Great question, SYSTEM file contains what knows as Boot secret key which used at the windows boot startup for decryption

Quick Scan against domain controller identified port SMB on 445 and Port 88 kerberos authentication protocl .

server_2008_nmapFigure 1 Port scan identified number of open ports from our attacking machine

Credential theft – We use Rdesktop to login to the remote server 2008 AD.

rdesktop_02Figure 2 with administrative access we login to the remote Target windows 2008 server

vssadmin create shadow /for=c:  to creaate a light snapshot

vssadmin-create-copy-03Figure 2 vssadmin built-in windows tool to create a fast snapshot

Next we  use copy command and copy the ntds.dit file to our \windows\ntds\ntds.dit location

copy-ntds-dit-04Figure 3 snapshot of ntds.dit now successfully copied to the c:\ drive

We also need a copy of SYSTEM File to decrypt the NTDS.dit objects

copy-system-dir-04Figure 3 SYSTEM file is copied to c:\ location we need that file to decrypt the ntds file

Now that we have a copy of NTDS.dit and SYSTEM file waiting for final exfiltration to our attacking machine for offline decryption

We use Mount -t cifs to connect the target remote machine specefying the username and password and associate /mnt/

mnt-copiedFigure 4 C$ is mounted to /mnt drive to copy ntds.dit and SYSTEM file for extraction

We use esetUtil.py to look at certain table and grep particular hashes from the NTDS.dit file

bFigure 5 we use esentuil to grep datatable contains hash objects

Next we we use extract datatable from the ntds.dit and pipe it to the output.txt file

ntds-dirFigure 6 Impdump.py we point SYSTEM file and output extract and pipe it to the hashes.txt file

Password equivalent hash extracted from windows active directory server

hashes-textFigure 7 Windows NTLM password hashes

So there we are , NTLM password hashes for PTH & offline decryption





One thought on “NTDS.DIT Active Directory Passwords & Decryption

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s