Simulated Password Cracking with the NTDS.DIT Export – Part 1

In order to check to see if passwords can be cracked or guessed by the evil-doers we have an advantage that we rarely use. By performing a simulated password crack on our existing AD users we can obtain the upper hand by finding the failing passwords before the bad guys do.

Firstly we need to extract the relevant data from the DC. Whilst LSSAS injection is an available method it is NOT advisable to perform it in a production environment unless absolutely necessary as it can result in the crash of the LSSAS service resulting in an outage. Since the DC is fundamentally the core of a Windows network this can result in catastrophic outages across the environment.

Gathering the NTDS.DIT Data

Firstly enable shadow copies on the C:/. Once enabled collect a shadow copy of the ntds.dit file located here:


Also obtain a binary replica of the System hive with the following CLI


You can now copy these across to a nix box, preferably Kali but tools can be installed on all Debian distros manually if needed. Remove originals and if transferred via USB erase the drive with DBAN or equivalent.

Extracting the Hashes

Exporting the tables

Once within Kali you will need to perform an extraction of the users and hashes. This is done using LIBESEDB. You can do a git clone to your OPT folder (my preference) by using

git clone

After cloning run

esedbexport -m tables ntds.dit

This will extract the tables from within the NTDS.DIT file. This may take a few minutes depending on the size of your database. By default it will dump all extracted data into a folder named “ntds.dit.export”.

Exporting User Data

Fire up git clone again and get a copy of NTDSXtract

git clone

Within this repo is a file named which we will be using to dump user data from the exported tables.

py /path/to/ntdsxtract/ /path/to/ntds.dit.export/datatable.X /path/to/ntds.dit.export/linktable.X /path/to/new/export/folder --syshive /path/to/sys-file --passwordhashes --lmoutfile "lmhashDump" --ntoutfile "nthashDump" --pwdformat john

This will extract the password hashes in a format the password cracker John/JTR can work with. The X’s in datatable.X and linktable.X change each time so check which one yours is and amend accordingly.

Collect your Hashes

Once done, go to your dump folder that you exported the hashes to in the previous paragraph. Any issues finding it just use

locate lmhashDump

Check both NT and LM versions. LM might not contain any data depending on your infrastructure.

You now possess the hashes for the entire infrastructure. Next we move onto cracking with JTR!!

Part 2 here

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s