Extracting domain credentials

Dumping domain credentials for password audits.

Step 1: Obtain SYSTEM and NTDS.dit files

• SAM and SYSTEM live in C:\Windows\System32\config
• NTDS.dit lives in C:\Windows\ntds\NTDS.dit

Armed with this information, you can forget all of it, because FTK Imager Lite will grab it for you. Use Obtain Protected Files option. I grabbed everything with "Password recovery and all registry files". The SAM file is only necessary for end user computers if you want to crack locally stored passwords.

Step 2: Download the newest libesedb from https://github.com/libyal/libesedb/releases

• cd libesedb-2050409
• chmod +x configure
• ./configure
• make
• You can optionally extract the database you need at this point, but esedbxtract will do it for you. If you want it anyway, the steps are...
  • cd esedbtools/
  • ./esedbexport ~/Desktop/ntds.dit
  • cd ntds.dit.export
  • ls

Download esedbxtract from https://bitbucket.org/grimhacker/esedbxtract

• Documentation: http://grimhacker.com/wordpress/2014/09/27/esedbxtract/
• python esedbxtract.py -P -s <system file> -n <ntds.dit file> --esedbexport ~/ntdsextract/libesedb-20150409/esedbtools/esedbexport
• This will take a while, no joke, unless you just have a tiny active directory. When it finishes you should have file in pwdump format.