Dumping Hash Files It is very common during penetration tests where domain administrator access has been achieved to extract the password hashes of all the domain users for offline cracking and analysis. These hashes are stored in a database file in the domain controller (NTDS.DIT) with some additional information like group memberships and users. The NTDS.DIT file is constantly in use by the operating system and therefore cannot be copied directly to another location for extraction of information. This file can be found in the following Windows location: 1 C:\Windows\NTDS\NTDS.dit There are various techniques that can be used to extract this file or the information that is stored inside it however the majority of them are using one of these methods: Domain Controller Replication Services Native Windows Binaries WMI Mimikatz Mimikatz has a feature (dcsync) which utilises the Directory Replication Service (DRS) to retrieve the password hashe...