search

Attacking Active Directory & NTDS.dit

Active Directory (AD) is critical in enterprise networks. If an organization uses Windows, AD is likely present, managing users and resources. This guide covers techniques for extracting credentials using dictionary attacks and dumping password hashes from the NTDS.dit file.

hashtag
Understanding Windows Domain Authentication

Once a Windows system joins a domain:

  • It stops using the local SAM database for login.

  • All authentication requests go to the Domain Controller (DC).

  • Local logins are still possible using:

    • hostname\username

    • .\username (at login UI)

hashtag
Key Authentication Components:

  • lsass.exe

  • NTLM & Kerberos protocols

  • Active Directory Domain Services

hashtag
Dictionary Attacks on AD Accounts

A dictionary attack uses a list of common usernames and passwords to guess valid login credentials. While effective, it’s noisy and easily detected by security systems.

hashtag
Tools Used:

hashtag
Common Username Conventions:

Format
Example for Jane Jill Doe

firstinitiallastname

jdoe

firstnamelastname

janedoe

firstname.lastname

jane.doe

lastname.firstname

doe.jane

nickname

doedoehacksstuff

💡 Tip: Use Google dorks like site:inlanefreight.com filetype:pdf to find usernames in document metadata.

hashtag
Username List Example:

hashtag
Generate of usernames.

Use tools like Username Anarchyarrow-up-right

hashtag
Launching the Dictionary Attack

hashtag
CrackMapExec:

  • If a login is successful, CME will indicate it.

  • Failed attempts return STATUS_LOGON_FAILURE.

🛑 Beware of account lockout policies. Not always enabled by default.

hashtag
Event Logging of the Attack

An IT admin can view the event of the attack in the event viewer

Event ID 4776 in Windows Event Viewer (Security Logs) will show:

  • Credential validation attempts

  • Details of success/failure

hashtag
Capturing NTDS.dit

hashtag
What is NTDS.dit?

  • Located at %SystemRoot%\NTDS\NTDS.dit

  • Contains all AD user accounts, password hashes, and schema info

hashtag
Connecting to a DC with Evil-WinRM

hashtag
Check User Privileges:

  • Ensure the user is in Administrators or Domain Admins group

  • We are looking to see if the account has local admin rights.

  • To make a copy of the NTDS.dit file, we need local admin (Administrators group) or Domain Admin (Domain Admins group) (or equivalent) rights. We also will want to check what domain privileges we have.

hashtag
Creating a Shadow Copy of NTDS.dit

hashtag
Copy the File:

We can then copy the NTDS.dit file from the volume shadow copy of C: onto another location on the drive to prepare to move NTDS.dit to our attack host.

Transfer to attacker’s machine using an SMB share.

  1. create an SMB share on our attack host

  2. Move or Copy the file to the attacker machine

hashtag
Quick Method: Dumping NTDS.dit with CrackMapExec

  • Dumps NTDS directly in terminal

  • Saves all retrieved hashes for further use

hashtag
Cracking Hashes

Use Hashcatarrow-up-right to crack NT hashes:

Output: 64f12cddaa88057e06a81b54e73b949b:Password1

hashtag
Pass-the-Hash (PtH)

Even if hashes can't be cracked, use them for authentication by passing them around the network:

Useful for lateral movement within the network.

hashtag
Defensive Takeaways

  • Monitor for Event ID 4776

  • Enforce account lockout policies

  • Harden access to NTDS.dit (limit admin privileges)

  • Regularly audit & monitor for VSS misuse

PreviousAttacking LSASSNextCredential Hunting in Windows

Last updated