Decrypt NTDS (aka NT Directory Service) active directory hashes for servers up to windows 2012r2 (rc4) and windows 2016 and up (aes). NTDS uses the Extensible Storage Engine format (aka ESE).
You can dump all necessary files (registry hives and ntds database) with
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
2/
You need the OS (here a domain controller) syskey to decrypt a NTDS database. You can obtain the systemkey offline using nthash and the system and security registry hives.
Your sysem and security hives may be inconsistent in which case make sure to get not only the hives but also all logs along. Then open it in regedit and the hives and logs should be consolidated altogether, ready to be used by nthash.
4/
Your ntds.dit may be corrupted. check this out with esentutl /g ntds.dit and then repait it with esentutl /p ntds.dit.
esentutl /g ntds.dit
Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 6.3
Copyright (C) Microsoft Corporation. All Rights Reserved.
Initiating INTEGRITY mode...
Database: ntds.dit
Temp. Database: .\TEMPINTEG26304.EDB
Checking database integrity.
The database is not up-to-date. This operation may find that
this database is corrupt because data from the log files has
yet to be placed in the database.
To ensure the database is up-to-date please use the 'Recovery' operation.
Scanning Status (% complete)
0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................
Integrity check completed.
Database is CORRUPTED, the last full backup of this database was on 04/10/2024 10:30:19
Operation terminated with error -1206 (JET_errDatabaseCorrupted, Non database file or corrupted db) after 4.297 seconds.
esentutl /p ntds.dit
Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 6.3
Copyright (C) Microsoft Corporation. All Rights Reserved.
Initiating REPAIR mode...
Database: ntds.dit
Temp. Database: TEMPREPAIR19620.EDB
Checking database integrity.
The database is not up-to-date. This operation may find that
this database is corrupt because data from the log files has
yet to be placed in the database.
To ensure the database is up-to-date please use the 'Recovery' operation.
Scanning Status (% complete)
0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................
Initiating DEFRAGMENTATION mode...
Database: ntds.dit
Defragmentation Status (% complete)
0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................
Moving 'TEMPREPAIR19620.EDB' to 'ntds.dit'... DONE!
Note:
It is recommended that you immediately perform a full backup
of this database. If you restore a backup made before the
defragmentation, the database will be rolled back to the state
it was in at the time of that backup.
Operation completed successfully in 14.515 seconds.
