Attacking Active Directory & NTDS.dit

Hi guys,

Im stuck with this box: On an engagement you have gone on several social media sites and found the Inlanefreight employee names: John Marston IT Director, Carol Johnson Financial Controller and Jennifer Stapleton Logistics Manager. You decide to use these names to conduct your password attacks against the target domain controller. Submit John Marston’s credentials as the answer. (Format: username:password, Case-Sensitive)

Problem, i made wordlist with the users, and I use the wordlist’s fence, rockyou-10, and fasttrack… i dont know if the wordlist user that I made is correctly or if the pass file is not these…

Anybody can help me??

I found, sorry guys…
using the wordlist with username-anarchy and de wordlist is fastrack…

Hey there, can you share some more details on this:

I’m having trouble getting the method you described to work.


What have you tried so far? DM me if you need assistance

hey even I got stuck question @ 3rd although have found credentials for carlos and jessica but I can’t get onto evil-winrm with those since it throws an error of authentication failed and cannot get the ntds.dit file. Am I on the right track ??

You’re in the Attacking Active Directory & NTDS.dit section, right?

Have you looked at the hint? It tells you the potential username, but even without that, you could use the previous sections to create the possible usernames from the three people’s names. But to save time, have a guess about which role would have access to the DC and use the hint to gues the username format…

Then you want to attack the domain controller to obtain the credentials you need to steal the NTDS. Just use crackmapexec, don’t worry about winrm.

The command is below, but it is also explained in the section:

crackmapexec smb $IP -u /Username/or/path/to/list -p /usr/share/wordlists/fasttrack.txt

That will give you a username and password for question 3. Those credentials can then be used to steal the NTDS file. Again, use crackmapexec, it’s so much easier:

crackmapexec smb $IP -u $USERNAME -p $PASSWORD --ntds

The output of that last command will contain the hash to Jessica’s account that you need to crack. Let me know if you need help with that part - I’ll be online for a few hours.

1 Like

I got both of them thank you.

1 Like

Your post gave me a ton of ideas;) in how to tackle this problem;) I still struggle quite a lot to make this inferences, thank you;)

Hi guys,

After I created the shadow copy I couldn’t copy it to a different location. But with CME options worked fine. Also, after I created the username.list for cracking the username and password for the target CME didn’t go through the username.list… any advice to this?

Ps. I already complete this module but some options are still unclear.