AD Series: Using Evil-WinRM to Get NTDS Manually

Categories: ,

Posted on

By

AD Series: Using Evil-WinRM to Get NTDS Manually

It’s been a while since my last post in our AD Series, Resource Based Constrained Delegation (RBCD). As is often the case, this blog came out of a frustrating issue on one of my internal penetration tests. I figured that others may benefit from the steps I took to turn frustration into success, so read on to learn more.

The EDR Roadblock

During a recent pentest, I successfully gained Domain Administrator (DA) access on an internal assessment. Normally, after getting DA, I use secretsdump.py from impacket to download a copy of the NTDS file so I can crack users passwords. However, this time when I went to download a copy of the NTDS.dit file, I ran into an issue where I was prevented from making a copy of NTDS.dit by the EDR.

Naturally, I tried to use the -use-vss method to see if using Volume Shadow Copy Service would get me access to the NTDS file. This also ended up erroring out and getting blocked by the EDR.

Now, to cover all the bases, I went and tried NetExec with the –ntds flag at the end, but I still ran into the same issue.

All in all, none of the normal methods I use worked, so I ended up using Evil-Winrm to login and started to get NTDS manually.

Downloading NTDS Manually

There are two ways that get brought up a lot when trying to copy NTDS manually

  1. Using VSS
  2. Using Ntdsutil

Since VSS got flagged when I tried to use it in the tool, I decided to start with Ntdsutil.

There is a command that will dump NTDS, the SYSTEM hives, and the SECURITY hives as well.

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

When this works, you can simply download the files it creates and then run them offline with secretsdump where you pass the system and security hives.

secretsdump.py -system [SYSTEM] -security [SECURITY] -ntds [ntds.dit] local
Running the powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q" command

Now, when I tried this, my WinRM session got terminated. Logging back in revealed that, while files were created, none of them were the correct size (not even close).

An Aside About the Registry Real Quick

There are other ways of downloading the system and security registry hives. What I found most interesting, though, is that many EDRs will flag on the reg save command, which most tools use to save the registry files. However, there is another option, reg export. Reg export, in my experience, worked to save the information without getting flagged by the EDR. The only issue is that it is saved in a format that the usual tools don’t like.

This is easily fixed by just importing the hives into a windows VM where you can then execute the reg save command to get the files into the expected file format. Do note that the reg export command does lose some of the data, as the files are exported as text files and not a normal registry file. The main issue with this is obtaining the bootkey, which happens to be the only reason you need the SYSTEM and SECURITY hives when extracting user hashes from NTDS.

Luckily, before actually trying to save anything, secretsdump will retrieve the bootkey from the registry and print it out. So, all you need to do is take that key and pass it to secretsdump after you successfully download the NTDS.

Secretsdump retrieving the bootkey

Also note, if you just mindlessly import the exported registry hives without changing the paths of the keys you will overwrite your machine’s keys resulting in a very sad windows machine that won’t work and will require a reset. So do change the keys.

This pull request describes some recent changes that allow impacket to parse exported keys natively.

And Now Back to NTDS

After playing around with getting the registry hives for longer than I actually needed to because I missed the fact that I had the bootkey, I went back to trying to download NTDS.

Since the Ntdsutil command didn’t work out for me, I decided to give VSS a manual try.

Initially I created a shadow for the C drive with vssadmin create shadow /for=C:

Trying the vssadmin create shadow /for=C command

After that I navigated to the area ntds.dit would be on the shadow copy and tried to copy it, but, after the copy command, there was no ntds.dit

NTDS.dit was not downloaded

Eventually I went over to LOLBAS and looked for different tools that might let me dump or make a copy of a file.

I found that esentutl.exe can copy files including locked files like NTDS.dit

esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\temp\ntds.bak

So, I grabbed the command and tried it out.

Trying the esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\temp\ntds.bak command

Next thing I know, I get an operation succeeded message. I use ls to view the files and promptly find a ntds.bak that is the right size looking back at me, which I promptly download with evil-winrm.

That command succeeded in downloading ntds.bak

After downloading the file, I used secretsdump and passed the bootkey I got earlier, and I was presented with a series of user hashes, which I then got to cracking.

Passing the ntds.bak file to secretsdump provides hashes to crack

I will note, you don’t need the leading 0x for the bootkey just the hexadecimal value after it.

Thanks for Reading

I hope this walk through getting NTDS manually has been helpful. Please check back for more tutorials in all of our How To series.


Like what you’ve learned from Raxis?

Contact us to receive an expert-led penetration test, and we’ll also show you step-by-step how to recreate our attack against your own systems.

Raxis Attack

Continuous, expert-led PTaaS combined with advanced automation to uncover and address hidden vulnerabilities, ensuring your business stays ahead of evolving cyber threats while maintaining regulatory compliance.

Raxis Protect

Continuous vulnerability scanning, real-time asset management, and expert guidance to proactively identify and address security gaps across your entire digital ecosystem, ensuring 24/7 protection against evolving cyber threats.

Raxis Strike

Tailored, expert-led penetration testing that uncovers hidden vulnerabilities using real-world hacker techniques, providing actionable insights to strengthen your defenses and protect against sophisticated cyber threats.

Partner With Raxis

Partnering with Raxis empowers your business with elite penetration testing services, competitive reseller pricing, and recurring revenue opportunities, all backed by a proven track record of excellence and a commitment to staying ahead of evolving cybersecurity threats.

More From Raxis

  • Password Series: 8 Practical First Steps to Crack Difficult Passwords

    Password Series: 8 Practical First Steps to Crack Difficult Passwords

    By Ryan Chaplin • February 25, 2025
  • Cool Tools Series: Vim

    Cool Tools Series: Vim

    By Andrew Trexler • January 14, 2025
  • Cool Tools Series: Masscan

    Cool Tools Series: Masscan

    By Andrew Trexler • December 3, 2024