By stealing the Ntds.dit file – Active Directory’s database – an attacker can extract a copy of every user’s password hash and subsequently act as any user in the domain.
How Ntds.dit Password Extraction Works
Because the Ntds.dit file is constantly in use by Active Directory, it cannot simply be copied and pasted to another drive as access will be denied. However, there are several ways around this using capabilities built into Windows, or with PowerShell libraries.
The following is a summarization of how the attack works when using VSSAdmin to steal the Ntds.dit file through the Domain Controller’s Volume Shadow Copy:
- Attacker obtains access to an Active Directory Domain Controller
- Attacker creates a Volume Shadow Copy from the system command prompt
- Attacker retrieves the Ntds.dit file from the Volume Shadow Copy
- Attacker copies the SYSTEM file from the Registry or Volume Shadow Copy as it contains the Boot Key needed to decrypt the Ntds.dit file at a later time
- Attacker deletes the Volume Shadow Copy to cover their tracks
Alternatively, using tools like PowerSploit – a PowerShell penetration testing framework – the same result could be achieved through the ability to copy a file from a raw NTFS-partitioned volume.
- Now offline (and thus undetectable), the attacker extracts password hashes from the Ntds.dit file
- Once extracted, the attacker can now use tools like Mimikatz to perform Pass-the-Hash (PtH) attacks or password cracking tools like Hashcat to obtain their clear text values
Important Notes about NTDS.dit Password Extraction:
- Before this attack can be attempted, Administrative access to an Active Directory Domain Controller (DC) is required.
- Once the hashes have been extracted or cracked, there’s no limitation to what the attacker can do with them.
Watch this brief video of a Ntds.dit Password Extraction attack in action:
Potential Solutions and Mitigating Controls for Ntds.dit Password Extraction
The best way to mitigate the risks of a successful attack against your Ntds.dit file is to limit the number of users who can log onto Domain Controllers. This includes commonly protected groups such as Domain and Enterprise Admins, but also Print Operators, Server Operators, and Account Operators. These groups should be limited, monitored for changes, and frequently recertified.
If possible, monitoring and alerting software that can detect and/or prevent users from extracting files from Volume Shadow Copies should also be leveraged to reduce the attack surface.
Ntds.dit Password Extraction Resources:
Related Attacks & Concepts: