In this article we explore the options to acquire information from an online or offline Microsoft Active Directory database and its encryption keys. We will use this to recover the contained usernames and password hashes for password auditing or penetration testing purposes.
Microsoft stores the Active Directory data in tables in a proprietary ESE database format. The database is contained in the NTDS.dit file. This file is encrypted to prevent any data extraction, so we will need to acquire the key to be able to perform the extraction of the target data. The required Password Encryption Key is stored in the NTDS.dit file, but is encrypted itself with the BOOTKEY. To obtain this BOOTKEY, we need to acquire a copy of the SYSTEM registry hive from the same Domain Controller as we acquired the NTDS.dit file.
So in order to perform this attack, we need to get a copy of the NTDS.dit and a copy of the SYSTEM file. This is not too difficult in many situations. The required files can be collected from a backup tape that is stolen or that was simply found in a recycle bin (this is why media sanitation is so important). Another option is to use a preconfigured RDP client with an administrative account to access a domain controller. Sometimes administrator passwords are common knowledge within an organization or its IT departments. Quite often they are found on sticky notes next to the console.