Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %Systemroot%\NTDS\Ntds.dit of a domain controller.
In addition to looking NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.
The following tools and techniques can be used to enumerate the NTDDS file and the contents of the entire Active Directory hashes.
· Volume Shadow Copy
· Secretsdump.py
· Using the in-built Windows tool ntdsutil.exe
· Invoke-NinjaCopy
We learned previously to achieve this goal with secretsdump but here we have also PowerShell Tools and some built-in tools from Windows itself (LOLBINS) I will work with some demonstration such as Ninja Copy and ntdsutil.exe
When using the following commands the windows utility ntdsutil will create a copy in a directory created by the Tool which will save the ntds.dit file and we will have access to it.
With this we can continue and grab the SYSTEM Hive from the Registry Key to decrypt the file and extract the hashes. This can be done offline as well. As DSINternal offer a PowerShell Module that can be used to interact with the file and extract the password hashes.