Assumptions
You’re using the latest Kali OS.
You can contact the Domain Controller.
You have an admin account on the Domain Controller.
What is the NTDS.dit?
“The Ntds.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.”
Getting a copy of the NTDS.dit
There are many different tools for getting the Ntds.dit file and extracting hashes from it, but this post will be covering one tool. You can check other tools such as VSSAdmin, NinjaCopy, etc.
Impacket
In this blog, I’ll be using Impacket’s secretsdump.py.
If you’re not using Kali, you can install impacket on Linux just using the following:
pip install pyasn1
pip install impacket
Then to dump the password hashes, you can use the following syntax:
secretsdump.py -just-dc-ntlm <DOMAIN>/<USER>@<DOMAINCONTROLLER> >> ntds.txt
It’ll ask you for the password for that user. This will save the output to ntds.txt.
John The Ripper
You can crack the hashes using wordlists:
john --wordlist=/PATH/TO/WORDLIST /PATH/TO/HASHFILE--pot=FILENAME.pot
You may have to include the format using the –format.
Wordlists
Here are some good places to get wordlists:
https://hashes.org (LinkedIn Breach, HIBP, etc).
https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm
https://github.com/danielmiessler/SecLists/tree/master/Passwords