The very first step will be to extract the NTDIS database from the domain controller. If you have admin access to the DC it is easy, if don’t you can use Metasploit or some other techniques. In our example, we have access to the Domain controller so we can use the native tools to create a snapshot and copy NTDS. Log in to your server using admin account, open a command prompt and start ntdsutil.
Type the following commands:
activate instance ntds
ifm
create full c:\pen
quit
quit
Your command prompt windows must look like this:
After that in c:\pen you’ll have a copy of your ntds.dit, SYSTEM and SECURITY files. Copy them to the Kali linux machines. To keep thing simple rename the folder Active Directory to AD. Now we can extract the hashes from NTDS file using secretsdump.py. Run:
/usr/share/doc/python-impacket/examples/secretsdump.py -system registry/SYSTEM -ntds AD/ntds.dit LOCAL -outputfile passwords.hash
And wait till it finishes, it may take few minutes. Once finished you’ll have 3 new files in the folder: passwords.hash.ntds, passwords.hash.ntds.cleartext and passwords.hash.ntds.kerberos. We will focus on the passwords.hash.ntds in our example and will use hashcat and a password list to crack the hashes there. The command is:
hashcat -m 1000 passwords.hash.ntds /home/audit/passwords.txt
As a result, you’ll get the list of cracked hashes. To see a list again you can run:
hashcat -m 1000 --show passwords.hash.ntds
Enjoy!