From 9368d214b6e9cdaf0f0599fe4bb762e07d7071a3 Mon Sep 17 00:00:00 2001 From: Virgile Jarry Date: Thu, 1 Jun 2023 07:14:16 +0200 Subject: [PATCH] Update README.md Adds reference to ntdsdotsqlite. --- windows-hardening/stealing-credentials/README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows-hardening/stealing-credentials/README.md b/windows-hardening/stealing-credentials/README.md index a0b40750a..8ea87457f 100644 --- a/windows-hardening/stealing-credentials/README.md +++ b/windows-hardening/stealing-credentials/README.md @@ -291,6 +291,16 @@ For **big NTDS.dit files** it's recommend to extract it using [gosecretsdump](ht Finally, you can also use the **metasploit module**: _post/windows/gather/credentials/domain\_hashdump_ or **mimikatz** `lsadump::lsa /inject` +### **Extracting domain objects from NTDS.dit to an SQLite database** + +NTDS objects can be extracted to an SQLite database with [ntdsdotsqlite](https://github.com/almandin/ntdsdotsqlite). Not only secrets are extracted but also the entire objects and their attributes for further information extraction when the raw NTDS.dit file is already retrieved. + +``` +ntdsdotsqlite ntds.dit -o ntds.sqlite --system SYSTEM.hive +``` + +The `SYSTEM` hive is optional but allow for secrets decryption (NT & LM hashes, supplemental credentials such as cleartext passwords, kerberos or trust keys, NT & LM password histories). Along with other information, the following data is extracted : user and machine accounts with their hashes, UAC flags, timestamp for last logon and password change, accounts description, names, UPN, SPN, groups and recursive memberships, organizational units tree and membership, trusted domains with trusts type, direction and attributes... + ## Lazagne Download the binary from [here](https://github.com/AlessandroZ/LaZagne/releases). you can use this binary to extract credentials from several software.