Extracting Password Hashes from Active Directory

Extracting hashes from Active Directory

To extract hashes from Active Directory you must first obtain a copy of the underlying Active Directory database; ntds.dit

For more information on the Data Store Architecture please refer to this Microsoft Technet article


You must be logged on to a domain controller.

Extracting the Database

To extract the raw Active Directory database (ntds.dit) run the following commands from an elevated command prompt:

mkdir c:\audit
cd audit
ntdsutil "activate instance ntds" ifm "create full C:\\audit" q q q

Extracting the Hashes

Download the following file to c:\audit: https://github.com/Dionach/NtdsAudit/releases/download/v2.0.5/NtdsAudit.exe

From C:\audit run this command: NtdsAudit.exe "Active Directory\ntds.dit" -s "registry\SYSTEM" -p hashes.txt --users-csv users.csv

Leave a Reply

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>