Here’s a detailed explanation of how attackers extract and crack password hashes from the NTDS.dit file using Hashcat:
🧠 What Is NTDS.dit?
The NTDS.dit file is the Active Directory database stored on domain controllers. It contains:
- User accounts and group memberships
- Password hashes (NTLM and sometimes LM)
- Other sensitive directory data
🧨 Attack Workflow: From Extraction to Cracking
1. Extract NTDS.dit and SYSTEM Hive
Since NTDS.dit is locked by the OS, attackers use methods like:
- Volume Shadow Copy (
vssadmin) - PowerSploit’s Invoke-NinjaCopy
- NTDSUtil tool
- VM snapshots (if the DC is virtualized)
They also extract the SYSTEM registry hive, which contains the Boot Key needed to decrypt password hashes.
2. Extract Hashes
Tools like DSInternals or SecretsDump.py (from Impacket) are used to parse NTDS.dit and extract hashes:
secretsdump.py -system SYSTEM -ntds NTDS.dit LOCAL
This produces output like:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
The last part is the NTLM hash.
3. Crack Hashes with Hashcat
Hashcat is a GPU-accelerated password cracker. For NTLM hashes, use mode -m 1000:
hashcat -m 1000 -a 0 hashes.txt wordlist.txt
-m 1000: NTLM hash mode-a 0: Dictionary attackhashes.txt: File containing NTLM hasheswordlist.txt: Your password list (e.g., rockyou.txt)
Once cracked, use --show to display results:
hashcat --show -m 1000 hashes.txt
🛡️ How to Defend Against This
- Restrict access to domain controllers
- Monitor for shadow copy creation
- Use strong, complex passwords
- Enable LAPS (Local Admin Password Solution)
- Audit and alert on SYSTEM and NTDS.dit access
For a full walkthrough, check out Netwrix’s guide on NTDS.dit extraction and cracking or this ropnop blog post.
