Active Directory · Term

What is NTDS.dit?

NTDS.dit is the database file on every Domain Controller that stores the password hash of every account in the domain. Copy it and you hold every credential at once. Here is what NTDS.dit is, the attack that steals it, and how to keep it out of reach.

Active Directory · TermAll services
TL;DR

NTDS.dit is the main Active Directory database file, stored on every Domain Controller (usually at C:\Windows\NTDS\ntds.dit). It holds every directory object and, critically, the password hash of every user and computer account in the domain. An attacker who copies it, together with the SYSTEM registry hive needed to decrypt it, walks away with the credentials of the entire organisation, including Domain Admins and KRBTGT. Stealing NTDS.dit is one of the clearest "game over" events in Active Directory, which is why it sits at the very top of the assets that must be protected.

By John Dill, Red Team Lead, SecureLayer7Updated

What NTDS.dit is

NTDS.dit (NT Directory Services Directory Information Tree) is the database that is Active Directory on a Domain Controller. Every user, group, computer, and policy lives in it, and so does the password hash of every account.

It is encrypted at rest, but the key material lives in the SYSTEM registry hive on the same machine. So the file alone is not enough, but a Domain Controller hands over both to anyone who already has high privilege on it. That pairing, the database plus the SYSTEM hive, is what attackers collect.

The attack: dumping every hash

Once an attacker reaches a Domain Controller or Domain Admin rights, extracting NTDS.dit gives them every credential in one move. Unlike harvesting hashes machine by machine, this is the whole domain at once: every user, every service account, the Domain Admins, and KRBTGT (whose hash then enables Golden Tickets).

With every hash in hand, the attacker can Pass-the-Hash as anyone, crack passwords offline at leisure, and maintain access long after the incident appears closed. There is no partial recovery: a stolen NTDS.dit means every password in the domain should be considered compromised.

How the attack runs

Attackers either pull the hashes remotely via replication or copy the file from the DC. The documented methods include:

  • Remote, over DCSync replication: secretsdump.py -just-dc corp.local/admin@dc-ip
  • From a shadow copy of the volume, then offline: secretsdump.py -ntds ntds.dit -system system LOCAL (Impacket)
  • Native extraction on the DC with ntdsutil "ifm" snapshots

Each ends the same way: a complete list of domain password hashes. These are well-known techniques included for defenders to recognise.

How to protect it

NTDS.dit lives on Domain Controllers, so protecting it means protecting Tier 0:

  • Harden and isolate Domain Controllers. Only Tier 0 admins should ever touch them, and never from an ordinary workstation.
  • Keep Domain Admin credentials off lower-tier machines so an attacker cannot pivot up to a DC in the first place.
  • Monitor for DCSync replication from non-DC sources and for volume shadow-copy activity on Domain Controllers.
  • Restrict backup access, since DC backups contain NTDS.dit and are a softer target than the live DC.
  • Alert on `ntdsutil` and secretsdump-style activity on Domain Controllers.

References

  1. [1]MITRE ATT&CK Enterprise Matrix(MITRE)
  2. [2]Microsoft: Kerberos Authentication Overview(Microsoft)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.