Extracting Password Hashes from Active Directory

Extracting hashes from Active Directory

To extract hashes from Active Directory you must first obtain a copy of the underlying Active Directory database; ntds.dit

For more information on the Data Store Architecture please refer to this Microsoft Technet article

Prerequisites

You must be logged on to a domain controller.

Extracting the Database

To extract the raw Active Directory database (ntds.dit) run the following commands from an elevated command prompt:

mkdir c:\audit
cd audit
ntdsutil "activate instance ntds" ifm "create full C:\\audit" q q q

Extracting the Hashes

Download the following file to c:\audit: https://github.com/Dionach/NtdsAudit/releases/download/v2.0.5/NtdsAudit.exe

From C:\audit run this command: NtdsAudit.exe "Active Directory\ntds.dit" -s "registry\SYSTEM" -p hashes.txt --users-csv users.csv

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>