Crack the password hash (1) – Obtain Active Directory Database with Ntdsutil

Make sure you have proper consent

Introduction

Some company has policy to regularly test all user’s Active Directory password hash with the common or previously leaked password list on the Internet to ensure password security.

There are numerous methods to get user’s password hash. The guide will focus on the auditing process, thus will use the normal procedure rather than any red team methods to complete the task.

Access the server

  • Should work on Microsoft Windows Server 2000 onward, but my testing platform is Server 2016
  • RDP to the target AD server
  • Open elevated command prompt (Open CMD with Run as administrator)

Get the Active Directory database (ntds.dit) by Ntdsutil

Never leave ntds.dit around. Simply say, it is a copy of your whole AD.

Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753343(v=ws.11)
C:\Windows\system32>ntdsutil "ac i ntds" "ifm" "create full c:\temp\ntdsdump" q q

ntdsutil is a interactive shell, but can feed all command in one line as shown above.

  • ac i ntds = activate an instance for AD DS
  • ifm = Creates installation media for writable (full) domain controllers, read-only domain controllers (RODCs), and instances of Active Directory Lightweight Directory Services (AD LDS).
  • create full c:\temp\ntdsdump = Creates installation media for a writable Active Directory domain controller or an AD LDS instance in the specific folder. You can specify only this parameter for an AD LDS instance.
  • first q = quit ifm
  • second q = quit ntdsutil

After that move the file to the offline cracking device and remove the original files.

References