![\"\"](\"https:\/\/labalec.fr\/erwan\/wp-content\/uploads\/2023\/07\/2023-07-09-16_10_47-Invite-de-commandes-1024x275.png\")
<\/a><\/figure>\n\n\n\nNote that a file named import.ldif will also be created (if you wish to import the exported hashes to a openldap).<\/p>\n\n\n\n
Also note that a NT hash is the md4 hash of the unicode (utf16-le) password.<\/p>\n\n\n\n
NTHASH-win64.exe --widestringtohexa --input=MyPassword | NTHASH-win64.exe --gethash --mode=MD4<\/code><\/pre>\n\n\n\nTips:<\/p>\n\n\n\n
1\/<\/p>\n\n\n\n
You can dump all necessary files (registry hives and ntds database) with<\/p>\n\n\n\n
powershell \"ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\\temp' q q\"<\/code><\/pre>\n\n\n\n2\/<\/p>\n\n\n\n
You need the OS (here a domain controller) syskey to decrypt a NTDS database.
You can obtain the systemkey offline using nthash and the system and security registry hives.<\/p>\n\n\n\n
nthash-win64 --getsyskey --offline --binary=system<\/code><\/pre>\n\n\n\n3\/<\/p>\n\n\n\n
Your sysem and security hives may be inconsistent in which case make sure to get not only the hives but also all logs along. Then open it in regedit and the hives and logs should be consolidated altogether, ready to be used by nthash.<\/p>\n\n\n\n
4\/<\/p>\n\n\n\n
Your ntds.dit may be corrupted. check this out with esentutl \/g ntds.dit<\/strong> and then repait it with esentutl \/p ntds.dit<\/strong>.<\/p>\n\n\n\nesentutl \/g ntds.dit\n\nExtensible Storage Engine Utilities for Microsoft(R) Windows(R)\nVersion 6.3\nCopyright (C) Microsoft Corporation. All Rights Reserved.\n\nInitiating INTEGRITY mode...\n Database: ntds.dit\n Temp. Database: .\\TEMPINTEG26304.EDB\n\nChecking database integrity.\n\nThe database is not up-to-date. This operation may find that\nthis database is corrupt because data from the log files has\nyet to be placed in the database.\n\nTo ensure the database is up-to-date please use the 'Recovery' operation.\n\n\n Scanning Status (% complete)\n\n 0 10 20 30 40 50 60 70 80 90 100\n |----|----|----|----|----|----|----|----|----|----|\n ...................................................\n\n\nIntegrity check completed.\nDatabase is CORRUPTED, the last full backup of this database was on 04\/10\/2024 10:30:19\n\nOperation terminated with error -1206 (JET_errDatabaseCorrupted, Non database file or corrupted db) after 4.297 seconds.\n<\/code><\/pre>\n\n\n\nesentutl \/p ntds.dit\n\nExtensible Storage Engine Utilities for Microsoft(R) Windows(R)\nVersion 6.3\nCopyright (C) Microsoft Corporation. All Rights Reserved.\n\nInitiating REPAIR mode...\n Database: ntds.dit\n Temp. Database: TEMPREPAIR19620.EDB\n\nChecking database integrity.\n\nThe database is not up-to-date. This operation may find that\nthis database is corrupt because data from the log files has\nyet to be placed in the database.\n\nTo ensure the database is up-to-date please use the 'Recovery' operation.\n\n\n Scanning Status (% complete)\n\n 0 10 20 30 40 50 60 70 80 90 100\n |----|----|----|----|----|----|----|----|----|----|\n ...................................................\n\nInitiating DEFRAGMENTATION mode...\n Database: ntds.dit\n\n Defragmentation Status (% complete)\n\n 0 10 20 30 40 50 60 70 80 90 100\n |----|----|----|----|----|----|----|----|----|----|\n ...................................................\n\n\nMoving 'TEMPREPAIR19620.EDB' to 'ntds.dit'... DONE!\n\nNote:\n It is recommended that you immediately perform a full backup\n of this database. If you restore a backup made before the\n defragmentation, the database will be rolled back to the state\n it was in at the time of that backup.\n\nOperation completed successfully in 14.515 seconds.\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"Decrypt NTDS (aka NT Directory Service) active directory hashes for servers up to windows 2012r2 (rc4) and windows 2016 and up (aes). NTDS uses the Extensible Storage Engine format (aka ESE). Sourcecode and binary are here. Note that a file named import.ldif will also be created (if you wish to import the exported hashes to […]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[128,118],"tags":[136,138,137],"class_list":["post-2450","post","type-post","status-publish","format-standard","hentry","category-ldap","category-nthash","tag-ndtsextract","tag-ntds","tag-ntds-dit","category-128-id","category-118-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2450","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2450"}],"version-history":[{"count":7,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2450\/revisions"}],"predecessor-version":[{"id":2571,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2450\/revisions\/2571"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2450"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}