Dumping Hashes from Domain Controller
There are two ways to get hashes from a remote server:
- You can inject some malicious code into
lsass.exeprocess and then go through process memory to get hashes;
- You can get the database with which
lsass.exesyncs and get hashes from it.
We will use the second option because injecting code isn’t that stable, you can crash the process if something goes wrong.
Of course, you need local admin rights in both cases.
Copying NTDS database
User hashes (hashes of old passwords too) is stored in
ntds.dit file which is located at
C:\Windows\NTDS by default (sometimes not).
ntds.dit is a database file. A part of it (the most frequently used) is in the memory.
lsass.exe can request this file if it have to. If there’s some changes (like password changed)
lsass.exe pushes the changes into a log file and then this file is lazy copied into
ntds.dit consists of 3 tables and stores information about domain users 2. The file is locked by the operating system. To access it we have to create a shadow copy of
C: volume first. To do so we can use a standard windows utility – Volume Shadow Copy Service or VSS that is used for backups:
vssadmin.exe create shadow /for=C:
It’ll create a copy of volume
C:. It is not locked so we can access files on it. Then we need to copy two files:
copy \\?\GLOBALROOT\Device\Harddisk...Copy1\Windows\NTDS\ntds.dit C:\ copy \\?\GLOBALROOT\Device\Harddisk...Copy1\Windows\system32\config\system
We must copy them to our system so that we were able to extract hashes using some other utils locally.
In order to decrypt hashes from
ntds.dit the following steps are necessary:
- decrypt the PEK with
- first round of hash decryption (with PEK and RC4);
- second round of hash decryption (DES)
PEK is used to encrypt data in
ntds.dit. This key is the same within a whole domain so it’s the same on every DC. PEK stored in
ntds.dit and encrypted by
bootkey can be collected from SYSTEM registry hive and it is different on all domain controllers.
secretdump.py which is a part of
impacket to extract hashes automatically:
secretsdump.py -system system -ntds ntds.dit LOCAL -outputfile dump
If you want to dump password history use
Be patient – it’s a bit slow in the beginning. That’s it. We’ve got 3 dump files: the files with plain text passwords, the file with NT/LM hashes and the file with Kerberos hashes.
aad3b435b51404eeaad3b435b51404ee in a column of the NTLM file indicates that there’s no LM hash and there’s only NTLM hash.