Geoff Jones 5 February, 2014

Obtaining NTDS.Dit Using In-Built Windows Commands

Further to our article on Password Audit of a Domain Controller, we've discovered a couple of short-cuts that greatly simplify the process.

Using the same underlying technique (Volume Shadow Service), there is an in-built command (Windows 2008 and later) that does a backup of the crucial NTDS.dit file, and the SYSTEM file (containing the key required to extract the password hashes), without the need to use VB Script, third-party tools or injecting into running processes.

All you need is a command prompt running with administrator privileges, and the following commands:

C:\>ntdsutil
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\pentest
ifm: quit
ntdsutil: quit
ntdsutil in action

Copy/move the created folder from the target DC to your machine, and you have all necessary files to conduct an offline password audit of the domain.

If you want to perform in-depth analysis of the directory (e.g. group membership), we'd currently recommend esedbtools and NTDSXtract. If you're running Windows, there is a new tool on the block - named ntds_decode.exe (referenced here - http://insecurety.net/?p=884), which seems to work fine in our lab, without requiring a number of rather convoluted steps to achieve our goal. Unfortunately source code isn't available at this moment in time, so take normal precautions before running.

Improve your security

Our experienced team will identify and address your most critical information security concerns.