Merge pull request #650 from almandin/almandin-patch-1

Update README.md
2023-06-01 22:23:45 +02:00 · 2023-06-01 22:23:45 +02:00 · a239626d74
commit a239626d74
parent a2c9c0e50c 9368d214b6
1 changed files with 10 additions and 0 deletions
--- a/windows-hardening/stealing-credentials/README.md
+++ b/windows-hardening/stealing-credentials/README.md
@ -291,6 +291,16 @@ For **big NTDS.dit files** it's recommend to extract it using [gosecretsdump](ht

 Finally, you can also use the **metasploit module**: _post/windows/gather/credentials/domain\_hashdump_ or **mimikatz** `lsadump::lsa /inject`

+### **Extracting domain objects from NTDS.dit to an SQLite database**
+
+NTDS objects can be extracted to an SQLite database with [ntdsdotsqlite](https://github.com/almandin/ntdsdotsqlite). Not only secrets are extracted but also the entire objects and their attributes for further information extraction when the raw NTDS.dit file is already retrieved.
+
+```
+ntdsdotsqlite ntds.dit -o ntds.sqlite --system SYSTEM.hive
+```
+
+The `SYSTEM` hive is optional but allow for secrets decryption (NT & LM hashes, supplemental credentials such as cleartext passwords, kerberos or trust keys, NT & LM password histories). Along with other information, the following data is extracted : user and machine accounts with their hashes, UAC flags, timestamp for last logon and password change, accounts description, names, UPN, SPN, groups and recursive memberships, organizational units tree and membership, trusted domains with trusts type, direction and attributes...
+
 ## Lazagne

 Download the binary from [here](https://github.com/AlessandroZ/LaZagne/releases). you can use this binary to extract credentials from several software.