Extracting Password Hashes from Active Directory

Extracting hashes from Active Directory

To extract hashes from Active Directory you must first obtain a copy of the underlying Active Directory database; ntds.dit

For more information on the Data Store Architecture please refer to this Microsoft Technet article


You must be logged on to a domain controller.

Extracting the Database

To extract the raw Active Directory database (ntds.dit) run the following commands from an elevated command prompt:

mkdir c:\audit
cd audit
ntdsutil "activate instance ntds" ifm "create full C:\\audit" q q q

Extracting the Hashes

Download the following file to c:\audit: https://github.com/Dionach/NtdsAudit/releases/download/v2.0.5/NtdsAudit.exe

From C:\audit run this command: NtdsAudit.exe "Active Directory\ntds.dit" -s "registry\SYSTEM" -p hashes.txt --users-csv users.csv

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.