Dumping domain credentials for password audits.
Step 1: Obtain SYSTEM and NTDS.dit files
- SAM and SYSTEM live in C:\Windows\System32\config
- NTDS.dit lives in C:\Windows\ntds\NTDS.dit
Armed with this information, you can forget all of it, because FTK Imager Lite will grab it for you. Use Obtain Protected Files option. I grabbed everything with "Password recovery and all registry files". The SAM file is only necessary for end user computers if you want to crack locally stored passwords.
Step 2: Download the newest libesedb from https://github.com/libyal/libesedb/releases
chmod +x configure
- You can optionally extract the database you need at this point, but esedbxtract will do it for you. If you want it anyway, the steps are...
Download esedbxtract from https://bitbucket.org/grimhacker/esedbxtract
- Documentation: http://grimhacker.com/wordpress/2014/09/27/esedbxtract/
python esedbxtract.py -P -s <system file> -n <ntds.dit file> --esedbexport ~/ntdsextract/libesedb-20150409/esedbtools/esedbexport
- This will take a while, no joke, unless you just have a tiny active directory. When it finishes you should have file in pwdump format.