Credential Dumping: NTDS.dit

In this article, you will learn how passwords are stored in NTDS.dit file on Windows Server and then we will learn how to dump these credentials hashes from NTDS.dit file.

Table of Content

  • Introduction to NTDS
    • NTDS Partitions
    • Database Storage Table
  • Extracting Credential by Exploit NTDS.dit in Multiple Methods
    • FGDump
    • NTDSUtil
    • DSInternals
    • NTDSDumpEx
    • Metasploit
      • NTDS_location
      • NTDS_grabber
      • secretsdump
    • Cracking Hashes

Introduction to NTDS

NTDS stands for New Technologies Directory Services and DIT stands for Directory Information Tree. The default active directory database file location is “C:\Windows\NTDS”.  This file acts as a database for Active Directory and stores all its data including all the credentials. The Default Ntds.dit size from Server 2003 onwards 12 MB and it can expand upto 16TB.

The active directory database is stored in a single NTDS.dit file which is logically separated into the following partitions:

If you take a look at the information of NTDS you can find that the data can also be divided into Schema, configuration and data information. Here, Schema information has all the details about objects and attributes while Configuration information consists of the data about forest and trees which it’s further replicates to all the Domain Controllers. And Domain information has all the detailed data related to Domain.

The data store stores directory information in a single database file called Ntds.dit. In addition, it

Data Store Physical Structure Components

All the tables have various information such as Schema table consists of all the objects in Active Directory and their relationship with each other and Link table has all the attributes which refer to the objects finally the data table contains all the data related users, groups, etc.

Now that we have an idea about the NTDS, it is time to extract some of those precious hashes from the Server. We have the Windows Server with Active Directory setup in our lab environment for the following practical.

Extracting Credential by Exploit NTDS.dit in Multiple Methods

FGDump

FGDump is a tool that was created for mass password auditing of Windows Systems. This means that if an attacker can use the FGDump to extract the password from the target machine. For these purposes, we will need to download the FGDump from this link.

We fire up the windows command prompt and traverse to the path where we have downloaded the FGDump. In this case, it is in the Downloads Directory. As we have an executable for the FGDump, we ran it directly from the command prompt. 

As no parameters were provided, FGDump by default did a local dump. After auditing the local passwords, FGDump dumped Password and Cache successfully. Now let’s take a look at the dumped data.

FGDump creates a file with the extension PWDump. It-dumps hashes in that file. The name of the server is used as the name of the PWDump file. We can read the data on the file using the type command. As shown in the image given below, FGDump has successfully dumped hashes from the Target System.

Powershell: NTDSUtil

Enough with the Windows Command prompt, it’s time to move on to the PowerShell. We are going to use another executable called NTDSutil.exe. We launch an instance of PowerShell. Then we run NTDSutil.exe with a bunch of parameters instructing it to make a directory called temp in the C:\ drive and asks NTDSUtil to use its ability to tap into the Active Directory Database and fetch the SYSTEM and SECURITY hive files as well as the ntds.dit file. After working for a while, we have the hive files in the temp directory.

We transfer the hive files onto our Kali Linux Machine, to extract hashes from them. We will be using the secretsdump.py file from the impacket toolkit to extract hashes. All we need is to provide the path of the SYSTEM hive file and the NTDS.dit file and we are good to go. We see that in a matter of seconds secretsdump extracts hashes for us.

DSInternals

DSInternals is a framework designed by Michael Grafnetter for performing AD Security Audits. It is a part of the PowerShell official Gallery. This means we can download it by using the cmdlet Save-Module. After downloading we need to install the module before using it. This can be done using the cmdlet Install-Module. This will require a change in the Execution Policy. After installing the Modules, we are good to go.

We first use the Get-Bootkey cmdlet to extract the bootkey from the System Hive. After obtaining the bootkey, we will use it to read the data of one or more accounts form the NTDIS file including the secret attributes like hashes using the Get-ADBAccount cmdlet.

The Get-ADBAccount cmdlet creates a long sequence of output. Here we are showing you the data of one of the users of the Target Machine. We can see that we have successfully extracted the NTLM hashes from the NTDS.dit file.

NTDSDump.exe

Now it’s time to use some external tools for attacking the NTDIS file. We will be using the NTDSDumpEx for this particular Practical. You can download it from here. We unzip the contents of the compressed file we downloaded and then use the executable file to attack the NTDS file. We will need to provide the path for the ntds.dit file and the System Hive file. In no time the NTDSDumpEx gives us a list of the users with their respective hashes.

Remote: Metasploit (NTDS_location)

For all the Metasploit fans, there is no need to get depressed. Metasploit can work just fine in extracting hashes from the NTDS.dit file. We have 2 exploits that can work side by side to target NTDS. The first one locates the ntds file. We need a session on the Target System to move forward. After we gain a session, we choose the NTDS_location exploit and set the session identifier to the exploit. Upon running the exploit, we see that we have the location of the NTDS.dit file.

Metasploit (NTDS_grabber)

Moving on, we use another exploit that can extract the NTDS.dit file, SAM and SYSTEM hive files from the Target System. The catch is, it transfers these files in .cab compressed files.

The exploit works and transfers the cab file to a location that can be seen in the image. Now to extract the NTDS.dit and other hive files, we are going to use a tool called cabextract. This will extract all 3 files.

Now that we have the NTDS and the hive files at our disposal, we can use the impacket’s secretsdump script to extract hashes from it as we did earlier.

Remote: Metasploit (secretsdump)

Suppose a scenario where we were able to procure the login credentials of the server by any method but it is not possible to access the server directly, we can use this exploit in the Metasploit framework to extract the hashes from the NTDS.dit file remotely. We will use this auxiliary to grab the hashes. We need to provide the IP Address of the Target Machine, Username and Password. The auxiliary will grab the hashes and display it on our screen in a few seconds.

Hash Cracking

To ensure that all the hashes that we extracted can be cracked, we decided to take one and extract it using John the Ripper. We need to provide the format of the hash which is NT. John the Ripper will crack the password in a matter of seconds.

This concludes the various methods in which can extract the hashes that are stored in the Windows Server. We included multiple tools to cover the various scenarios that an attacker can face. And the only way to protect yourself against such attacks is to minimise the users who can access Domain Controllers. Continuously, log and monitor the activity for any changes. It is frequently recertified.

Reference: How the Data Store Works

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here