NTDS Secret Extraction
Theory
NTDS Secret
NTDS (Windows NT Directory Services) is the directory services used by Microsoft Windows NT to locate, manage, and organize network resources. The NTDS.dit file is a database that stores the Active Directory data (including users, groups, security descriptors and password hashes). This file is stored on the domain controllers.
Once the secrets are extracted, they can be used for various attacks: credential spraying, stuffing, shuffling, cracking, pass-the-hash, overpass-the-hash or silver or golden tickets.
Practical
Exfiltration
Since the NTDS.dit is constantly used by AD processes such as the Kerberos KDC, it can't be copied like any other file. In order to exfiltrate it from a live domain controller and extract password hashes from it, many techniques can be used.
Just like with SAM & LSA secrets, the SYSTEM registry hive contains enough info to decrypt the NTDS.dit data. The hive file (\system32\config\system) can either be exfiltrated the same way the NTDS.dit file is, or it can be exported with reg save HKLM\SYSTEM 'C:\Windows\Temp\system.save'.
AD Maintenance (NTDSUtil)
NTDSUtil.exe is a diagnostic tool available as part of Active Directory. It has the ability to save a snapshot of the Active Directory data. Running the following command will copy the NTDS.dit database and the SYSTEM and SECURITY hives to C:\Windows\Temp.
The following files can then be exported
C:\Windows\Temp\NTDS\Active Directory\ntds.ditC:\Windows\Temp\NTDS\registry\SYSTEM
If the NTDS database is very large (several gigabytes), the generation of a defragmented backup with ntdsutil consumes a lot of CPU and disk resources on the server, which can cause slowdowns and other undesirable effects on the domain controller.
Secrets Dump
Once the required files are exfiltrated, they can be parsed by tools like secretsdump (Python, part of Impacket) or gosecretsdump (Go, faster for big files).
REFERENCES
Last updated
