Active Directory Password Hash Extraction

Just added a tool for offline Active Directory password hash extraction.
It has very basic functionality right now but much more is planned.

Command line application that runs on Windows only at the moment.

  ntds_decode -s <FILE> -d <FILE> -m -i

    -s <FILE> : SYSTEM registry hive
    -d <FILE> : Active Directory database
    -m        : Machines (omitted by default)
    -i        : Inactive, Locked or Disabled accounts (omitted by default)

The SYSTEM registry hive and Active Directory database are from a domain controller.
These files are obviously locked so you need to backup using the Volume Shadow Copy Service.

The output format is similar to pwdump and only runs on Windows at the moment.
LM and NTLM hashes are extracted from active user accounts only.

ntds_decode mounts the SYSTEM file so Administrator access is required on the computer you run it on.

If you’re an experienced pen tester or Administrator that would like to test this tool, you can grab from here

It’s advisable you don’t use the tool unless you know what you’re doing.
Source isn’t provided at the moment because it’s too early to release.

If you have questions about it, feel free to e-mail the address provided in README.txt

5 thoughts on “Active Directory Password Hash Extraction

  1. Brilliant ! It was time someone wrote this.. There are already 2 commercial projects.. One from Elcomsoft and other I cannot recollect.


    • I’ll definitely release source eventually…maybe in a month or 2, we’ll see. I have to finish something else first.

  2. Please remove (or make it an option) the check for the shutdown to not be completed successfully. (JET_errdatabaseDirtyShutdown). Pentesters need to grab the NTDS.dit from a running system (or backup / shadow copy) and it is RARE to get a totally clean file.

    The other tools that run in the UNIX world will still work on the “dirty” version.

    • Yeah, this is a limitation of the ESENT API which ntds_decode uses.
      As a work around, you can try repairing with ESENTUTL /p

      It doesn’t always work, but worth a try.

Leave a Reply to User Cancel reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>