Introduction

The NTDS.dit file is the Active Directory database which contains :

  • Data on all domain accounts
  • Group membership relationships
  • domain user password hashes
    The retrieval of this file by an attacker is equivalent to the total compromise of the domain, as it means that the attacker has compromised the domain controller. In fact, this file is stored only on domain controllers and does not exist on other machines in the domain.

How the NTDS dump works

2.1 Localization

The default file path is as follows:

1
C:\Windows\NTDS\NTDS.dit

2.2 Obstacles for an attacker

In order to retrieve this file, an attacker must overcome 3 obstacles:

  • The file is still being used by the `LSASS process, which locks it, preventing direct recovery.
  • Some parts of the file are encrypted.
  • Administrator rights on the DC are required to access the file.

2.3 Extraction methods

To get around the obstacles mentioned above, several methods exist:

  • VSS (Volume Shadow Copy Service)
    Creates a copy of a snapshot by temporarily freezing writing to the disk. This makes it possible to capture the exact state of a disk without interrupting ongoing processes.
    This can be done with vssadmin :
1
vssadmin create shadow /for=C:

Or with diskshadow via a script or in interactive mode:

1
2
3
4
5
diskshadow
DISKSHADOW> set context persistent nowriters
DISKSHADOW> add volume C: alias myshadow
DISKSHADOW> create
DISKSHADOW> expose %myshadow% Z:
  • NTDSUtil
    NTDSUtil is a native Windows tool normally used for AD maintenance.
    The command to use is as follows:
1
ntdsutil "ac i ntds" "ifm" create full c:\temp\dump
  • DSRM (Directory Service Restore Mode)
    DSRM** (Directory Services Restore Mode) is a special domain controller startup mode used to repair or restore Active Directory. In this mode, the AD DS service does not run, and the NTDS.dit file and associated hives are not locked.

In penetration testing, this approach requires explicit agreement from the customer, as it involves restarting the domain controller in restore mode. As RDP is not available in DSRM, access must be via the server console, via vSphere if the DC is virtualized, or via a remote management interface such as iLO or iDRAC if it is physical.

  • secretsdump.py
    This tool uses the DRSUAPI API to extract the NTDS database remotely from the network. The command is as follows:
1
secretsdump.py domain/user:pass@target
  • NetExec
    NetExec implements all the methods mentioned above (except DSRM) and, in addition, a recent ntds_dump_raw module enables sensitive files to be extracted from the domain controller, bypassing conventional blocking mechanisms by reading the disk directly via the NTFS structure, without using the standard Windows API, which greatly complicates detection by security solutions. The module is available for SMB, WMI and WINRM.

2.4 Base decryption

Certain sections of the NTDS.dit file are encrypted. It is therefore necessary to also retrieve the SYSTEM hive, which contains the decryption key enabling access to the data in clear text. Once these two elements have been obtained, secretsdump.py can be used to extract and decrypt the contents. If you use secretsdump.py directly to retrieve the NTDS.dit file from an online DC, decryption is performed automatically.

3. Mitigations

There is no direct way of blocking access to the NTDS database without compromising the operation of domain controllers. Indeed, restricting this access could prevent replication between DCs. It is therefore essential to implement adequate security measures to prevent an attacker from compromising a domain controller.

Some XDR solutions, such as Cortex, block access to this base by default, but they can be costly. We therefore recommend proactive monitoring, including :

  • 1102: deletion of the “Security” audit log (often used to hide traces).
  • 4656**: requests to open a handle on an object (e.g. attempt to access NTDS.dit).
  • 4663**: access to an object protected by a SACL (read, write or modify NTDS.dit).
  • Use of the DRSUAPI protocol.
  • Malicious commands mentioned above (vssadmin, diskshadow, ntdsutil, etc.).
  • For ntds_dump_raw**: monitor any direct access to the physical disk (PhysicalDrive0), often associated with sequential reading of large blocks of data, which may indicate raw extraction of NTDS.dit, SYSTEM or SAM files without using the classic Windows API.