Ntds.dit Hash Extraction Tool

Ntds.dit Hash Extraction Tool
To ensure that the Quarkspwdump copyright information is not modified, there is no quarkspwdump to modify the use of other functions, the other original functions can be used normally, only add a few of their own added parameters.

What the hell is a Ntds.dit?

Within the domain, hash is present in Ntds.dit, NTDS. The DIT is a binary file that is equivalent to the SAM file of the local computer, where it is stored in%systemroot%\ntds\ntds. DIT. The bread here contains not only username and hash, but also OU, group and so on.
Like the Sam file, this file is definitely locked by the system, and Windows Server

How did the Ntds.dit come?

This online article describes the very detailed own hands-on clothed

0. Why not ntdsxtract it?

A: The extraction speed is too slow, it's not flattering.

1. Why not quarkspwdump it?
A: Quarkspwdump does not support System.hiv offline can only upload quarkspwdump to the server after the server use, do not like to operate in the server, there is a problem is the memory is too small and will appear not enough memory

2.quarkspwdump someone changed the support System.hiv why not?
A: Many times after export System.hiv, System.hiv file is quite large, download is very inconvenient, in fact System.hiv is key can be used RegQueryInfoKey query out. ,

3. Someone changed the Quarkspwdump support the key that supports both System.hiv and support.
Author Blog: http://z-cg.com/post/ntds_dit_pwd_dumper.html
A: But the program is 32-bit, read the million hash will show not enough memory!


So what exactly is the problem solved?

0. Add support to get System.hiv key value function (need to go to server run get)
1. Added support for offline System.hiv files
2. Added key value to support offline System.hiv
3. Solved the problem of not enough memory


How to use:
Common parameters:

-K: Get System.hive Key
-O: Output file (save file to local)
-SF: Specify system.hive file path
-sk: Specify the system.hive file key value
-hist: Historical records

system.hive file gets: reg save Hklm\system System.hive

650) this.width=650; "Width=" 640 "alt=" Clipboard.png "src=" http://static.wooyun.org/upload/image/201506/ 2015062214521322565.png "/>

0.quarkspwdump.exe-k (need to be aware of UAC issues running on the server)

650) this.width=650; "Width=" 640 "alt=" Clipboard.png "src=" http://static.wooyun.org/upload/image/201506/ 2015062214531487856.png "/>650) this.width=650;" src= "/e/u261/themes/default/images/spacer.gif" style= " Background:url ("/e/u261/lang/zh-cn/images/localimage.png") no-repeat center;border:1px solid #ddd; "alt=" spacer.gif "/>
1.quarkspwdump.exe-dhd-nt NTDS_SAVED.DIT-SF System.hive-o Hash.txt

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" Width= " 640 "alt=" Clipboard.png "src=" Http://static.wooyun.org/upload/image/201506/2015062214534830066.png "/>

2.quarkspwdump.exe-dhd-nt Ntds_saved.dit-sk 33a97a6a092fcb44b0598aaxxxxxxxx-o Hash.txt

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" Width= " 640 "alt=" Clipboard.png "src=" Http://static.wooyun.org/upload/image/201506/2015062214541051545.png "/>

3.quarkspwdump.exe-dhd-nt Ntds_saved.dit-sk 33a97a6a092fcb44b0598axxxxxxxxx-hist-o Hash.txt

With historical records.

650) this.width=650; "Width=" 640 "alt=" Clipboard.png "src=" http://static.wooyun.org/upload/image/201506/ 2015062214553935072.png "/>

：

Click I download password: CHI6

By the way, the southern real egg hurts every holiday.

This article is from the "Sanr" blog, make sure to keep this source http://0x007.blog.51cto.com/6330498/1664131

Ntds.dit Hash Extraction Tool