Dumping Hashes from Domain Controller

There are two ways to get hashes from a remote server:

We will use the second option because injecting code isn’t that stable, you can crash the process if something goes wrong.

Of course, you need local admin rights in both cases.

Copying NTDS database

User hashes (hashes of old passwords too) is stored in ntds.dit file which is located at C:\Windows\NTDS by default (sometimes not).

Actually ntds.dit is a database file. A part of it (the most frequently used) is in the memory. lsass.exe can request this file if it have to. If there’s some changes (like password changed) lsass.exe pushes the changes into a log file and then this file is lazy copied into ntds.dit 1.

ntds.dit consists of 3 tables and stores information about domain users 2. The file is locked by the operating system. To access it we have to create a shadow copy of C: volume first. To do so we can use a standard windows utility – Volume Shadow Copy Service or VSS that is used for backups:

vssadmin.exe create shadow /for=C:

It’ll create a copy of volume C:. It is not locked so we can access files on it. Then we need to copy two files:

copy \\?\GLOBALROOT\Device\Harddisk...Copy1\Windows\NTDS\ntds.dit C:\
copy \\?\GLOBALROOT\Device\Harddisk...Copy1\Windows\system32\config\system

Do not use cp use copy instead

We must copy them to our system so that we were able to extract hashes using some other utils locally.

Decryption

In order to decrypt hashes from ntds.dit the following steps are necessary:

  1. decrypt the PEK with bootkey (RC4);
  2. first round of hash decryption (with PEK and RC4);
  3. second round of hash decryption (DES)

PEK is used to encrypt data in ntds.dit. This key is the same within a whole domain so it’s the same on every DC. PEK stored in ntds.dit and encrypted by bootkey. bootkey can be collected from SYSTEM registry hive and it is different on all domain controllers.

I use secretdump.py which is a part of impacket to extract hashes automatically:

secretsdump.py -system system -ntds ntds.dit LOCAL -outputfile dump

If you want to dump password history use -history flag.

Be patient – it’s a bit slow in the beginning. That’s it. We’ve got 3 dump files: the files with plain text passwords, the file with NT/LM hashes and the file with Kerberos hashes.

aad3b435b51404eeaad3b435b51404ee in a column of the NTLM file indicates that there’s no LM hash and there’s only NTLM hash.

Footnotes

There are two ways to get hashes from a remote server:

We will use the second option because injecting code isn’t that stable, you can crash the process if something goes wrong.

Of course, you need local admin rights in both cases.

Copying NTDS database

User hashes (hashes of old passwords too) is stored in ntds.dit file which is located at C:\Windows\NTDS by default (sometimes not).

Actually ntds.dit is a database file. A part of it (the most frequently used) is in the memory. lsass.exe can request this file if it have to. If there’s some changes (like password changed) lsass.exe pushes the changes into a log file and then this file is lazy copied into ntds.dit 1.

ntds.dit consists of 3 tables and stores information about domain users 2. The file is locked by the operating system. To access it we have to create a shadow copy of C: volume first. To do so we can use a standard windows utility – Volume Shadow Copy Service or VSS that is used for backups:

vssadmin.exe create shadow /for=C:

It’ll create a copy of volume C:. It is not locked so we can access files on it. Then we need to copy two files:

copy \\?\GLOBALROOT\Device\Harddisk...Copy1\Windows\NTDS\ntds.dit C:\
copy \\?\GLOBALROOT\Device\Harddisk...Copy1\Windows\system32\config\system

Do not use cp use copy instead

We must copy them to our system so that we were able to extract hashes using some other utils locally.

Decryption

In order to decrypt hashes from ntds.dit the following steps are necessary:

  1. decrypt the PEK with bootkey (RC4);
  2. first round of hash decryption (with PEK and RC4);
  3. second round of hash decryption (DES)

PEK is used to encrypt data in ntds.dit. This key is the same within a whole domain so it’s the same on every DC. PEK stored in ntds.dit and encrypted by bootkey. bootkey can be collected from SYSTEM registry hive and it is different on all domain controllers.

I use secretdump.py which is a part of impacket to extract hashes automatically:

secretsdump.py -system system -ntds ntds.dit LOCAL -outputfile dump

If you want to dump password history use -history flag.

Be patient – it’s a bit slow in the beginning. That’s it. We’ve got 3 dump files: the files with plain text passwords, the file with NT/LM hashes and the file with Kerberos hashes.

aad3b435b51404eeaad3b435b51404ee in a column of the NTLM file indicates that there’s no LM hash and there’s only NTLM hash.

Footnotes