During a penetration test this week i was having a very interesting conversation with our security expert, he was walking me though and detailing how its pretty common during these tests once domain admin had been reached, to extract the password hashes of all domain users for offline cracking. These hashes are stored in a database file on the domain controller (NTDS.DIT) with some additional information like group memberships and user info.
The NTDS.DIT file is constantly in use by the operating system and therefore cannot be copied directly to another location for extraction of data. The file can be found in the following location:
There are apparently various underhanded and sneaky techniques to extract information from this file, however the majority of them are using one of these methods:
Domain Controller Replication Services
Native Windows Binaries
My security expert mentioned a number of tools including but not limited to Mimikatz (which uses the replication service), Empire (DCSync attack) along with various powershell scripts. As a tool of choice my guy was using a powershell script named “Invoke-DCSync” which leverages PowerView, Invoke-ReflectivePEInjection, and a DLL wrapper of PowerKatz to retrieve hashes.
With this revelation from my security expert, i decided to have a bit of a dig into the possibilities of what we can actually get. I then come across a very interesting blog by Sean Metcalf
This details all the attacks and how to get the data, i have linked here for future reference, and ill be looking at some test environments going forward about how this actually performs.