Just added a tool for offline Active Directory password hash extraction.
It has very basic functionality right now but much more is planned.
Command line application that runs on Windows only at the moment.
ntds_decode -s <FILE> -d <FILE> -m -i
-s <FILE> : SYSTEM registry hive
-d <FILE> : Active Directory database
-m : Machines (omitted by default)
-i : Inactive, Locked or Disabled accounts (omitted by default)
The SYSTEM registry hive and Active Directory database are from a domain controller.
These files are obviously locked so you need to backup using the Volume Shadow Copy Service.
The output format is similar to pwdump and only runs on Windows at the moment.
LM and NTLM hashes are extracted from active user accounts only.
ntds_decode mounts the SYSTEM file so Administrator access is required on the computer you run it on.
If you’re an experienced pen tester or Administrator that would like to test this tool, you can grab from here
It’s advisable you don’t use the tool unless you know what you’re doing.
Source isn’t provided at the moment because it’s too early to release.
If you have questions about it, feel free to e-mail the address provided in README.txt