
From Piszczynski
Revision as of 15:56, 24 December 2022 by piszczynski>Aleks

Get Backup of ntds.dit

For testing passwords for active directory you will need to obtain teh password hashes which are stored in the ntds.dit file located in the c:\Windows\NTDS location on the domain controllers by default.

Use ntdsutil to create a backup:

  • ntdsutil
    • ac i ntdc
      • ifm
        • create full C:\temp\ntdsbackup

Powershell module DSInternals for getting info from ntds

There is a useful powershell module for accessing and manipulating the ntds info which can be found here:


  • install-module -name dsinternals

Extract content of ntds.dit

First, get the so-called Boot Key (aka SysKey)that is used to encrypt sensitive data in AD:

  • $key = Get-BootKey -SystemHivePath 'C:\temp\ntdsbackup\registry\SYSTEM'

We then load the DB and decrypt password hashes of all accounts:

  • Get-ADDBAccount -All -DBPath 'C:\temp\ntdsbackup\Active Directory\ntds.dit' -BootKey $key

We can also get a single account by specifying its distinguishedName,objectGuid, objectSid or sAMAccountName atribute:

  • Get-ADDBAccount -DistinguishedName 'CN=krbtgt,CN=Users,DC=Adatum,DC=com' -DBPath 'C:\temp\ntdsbackup\Active Directory\ntds.dit' -BootKey $key

Create security check against known passwords from

Get the ntlm password hash dictionary:

Get the ntds.dit of the active directory you want to check the accounts

then run the command to get the accounts and decrypt the hash, then compare against the hash dictionary:

  • import-module dsinternals
    • $key = Get-BootKey -SystemHiveFilePath C:\Temp\ntdsbackup\registry\SYSTEM
      • Get-ADDBAccount -all -DBPath "C:\Temp\ntdsbackup\Active Directory\ntds.dit" -BootKey $key | Test-PasswordQuality -WeakPasswordHashesFile C:\temp\hashdictionary\pwned-passwords-ntlm-ordered-by-hash-v8.txt

The output can be outputted to a file if required or reviewed in the console