# NTDS

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %Systemroot%\NTDS\Ntds.dit of a domain controller.

In addition to looking NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.

The following tools and techniques can be used to enumerate the NTDDS file and the contents of the entire Active Directory hashes.

·         Volume Shadow Copy

·         Secretsdump.py

·         Using the in-built Windows tool ntdsutil.exe

·         Invoke-NinjaCopy

**Example**

We learned previously to achieve this goal with secretsdump but here we have also PowerShell Tools and some built-in tools from Windows itself (LOLBINS) I will work with some demonstration such as Ninja Copy and ntdsutil.exe

**Ntdsutil.exe**

When using the following commands the windows utility ntdsutil will create a copy in a directory created by the Tool which will save the ntds.dit file and we will have access to it.

![](/files/-MRkluRMipgi6QTviiLR)

With this we can continue and grab the SYSTEM Hive from the Registry Key to decrypt the file and extract the hashes. This can be done offline as well. As DSINternal offer a PowerShell Module that can be used to interact with the file and extract the password hashes.

**Sample**:

![](/files/-MRklvMsKGzMmNdKyr-y)

References:

<https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/>

<https://pentestlab.blog/tag/ntds-dit/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/credential-access/t1003-os-credential-dumping/ntds.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.