Import from NTDS.DIT/SYSTEM files

Parent Previous Next


You can import domain password hashes from a Windows NTDS.DIT/SYSTEM registry backup. These files are typically retrieved by copying the files from a volume shadow copy. If you have already acquired an NTDS.DIT and SYSTEM file the appropriate way, skip to the next section. If you haven't done this before successfully using other tools, you may want to read these instructions on preparing the files correctly for import, as it is easy to get a corrupted database if you copy it incorrectly.


Preparing NTDS.DIT and SYSTEM for Import



NTDS.DIT, the active directory database, is locked while the domain controller is running, which means you can't just copy it.


You have two options here, one is 'offline dumping', which takes the domain controller offline for the duration of the operation, but guarantees an accurate dump, and the other is 'online dumping' which copies the database but possibly doesn't get the entire thing, because some operations may not be fully committed at the time of the snapshot. Specifically, AD operations performed since the last reboot may not be captured. Offline dumping is preferred if possible.


OFFLINE DUMPING



To pull the NTDS.DIT, you should restart the domain controller in directory services restore mode. If you need to reset the 'DSRM Password', follow these instructions:


https://support.microsoft.com/en-us/kb/322672


To restart the server in DSRM mode, follow these instructions (based on https://technet.microsoft.com/en-us/library/cc794729%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) (These instructions assume Windows is installed in C:\Windows\ and the NTDS files are in C:\Windows\NTDS):


  1. 'Run As Administrator' cmd.exe to get an administrator command shell
    At the command prompt, type the following command, and then press ENTER:

    bcdedit /set safeboot dsrepair

  2. At the command prompt, type the following command, and then press ENTER:

    shutdown -t 0 -r

    The domain controller restarts in Directory Services Restore Mode. If you are connected over RDP when the domain controller restarts, your Remote Desktop Connection is dropped. Wait for a period of time that is adequate for the remote domain controller to restart, and then open Remote Desktop Connection.

  3. The domain controller name should still be showing in Computer. If it is not, select it in the list, and then click Connect.
    In the Windows Security dialog box, click Use another account.

    In User name, type the following:
    MachineName\Administrator
    Where MachineName is the name of the domain controller.

  4. In Password, type the Directory Services Restore Mode password, and then click OK.
  5. At the logon screen of the remote domain controller, click Switch User, and then click Other User.
  6. Type MachineName\Administrator, and then press ENTER.
  7. Once logged in open an administrative command prompt and type the following commands:

    cd %TEMP%
    mkdir ntdscopy
    cd ntdscopy
    copy c:\windows\ntds .
    reg save HKLM\SYSTEM SYSTEM


  1. Take this 'ntdscopy' folder and copy it to the machine you're running L0phtCrack on, and use the Import NTDS.DIT/SYSTEM option to import the two files, 'NTDS.DIT' and 'SYSTEM'.
  2. To return to normal operation, take the system out of DSRM, by running the following commands in the administrative command prompt:

    bcdedit /deletevalue safeboot
    shutdown -t 0 -r


ONLINE DUMPING


To pull the NTDS.DIT and system from a running domain controller, assuming Windows is installed in C:\Windows\ and the NTDS files are in C:\Windows\NTDS:


  1. 'Run As Administrator' cmd.exe to get an administrator command shell

  2. In that command shell, run: (substitute c: for whatever drive Windows and the NTDS folder is installed on)

    vssadmin create shadow /for=c:

  3. Note the 'Copy ID' and 'Volume Name' in the command output, it looks like this:

    vssadmin 1.1 – Volume Shadow Copy Service administrative command-line tool
    (C) Copyright 2001 Microsoft Corp.
    Successfully created shadow copy for ‘c:\’
    Shadow Copy ID: {..guid..}  
    Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1  

  4. Switch to a temporary directory, and make a folder to work in:

    cd %TEMP%
    mkdir ntdscopy
    cd ntdscopy

  5. Copy the NTDS.DIT and EDB files from the C:\Windows\NTDS folder: (substituting in the 'Volume Name' from above if different)

    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\* .

  6. Repair the NTDS.DIT since it was copied while it was still opened:

    esentutl /p ntds.dit

  7. Copy also, the SYSTEM registry hive, because you'll need that to decrypt the NTDS.DIT data.

    reg save HKLM\SYSTEM SYSTEM

  8. Take this 'ntdscopy' folder and copy it to the machine you're running L0phtCrack on, and use the Import NTDS.DIT/SYSTEM option to import the two files, 'NTDS.DIT' and 'SYSTEM'.

  9. Remove the volume shadow copy if you would like with either one of these two commands: (if you have no other volume shadow copies)

    vssadmin delete shadows /for=c:

  10. (if you want to delete just the specific shadow copy you just created, substituting the 'Copy ID' from above for '{..guid..}')

    vssadmin delete shadows /shadow={..guid..}


Importing the NTDS.DIT and System Files


Browse to the NTDS.DIT file and then Browse to the SYSTEM file. You must specify both files. You can select to Keep Currently Imported Accounts if you are adding this import to accounts (hashes) you have already imported. If this option is not selected the import will overwrite any previously imported accounts. You can also set a limit on the number of accounts to import.  


You are now ready to select your audit settings.