There are several how-tos on the Internet explaining you how to extract hashes from the Active Directory database file. I used this how-to for Kali Linux: https://blog.joelj.org/windows-password-audit-with-kali-linux/
The tools libesedb and ntdsxtract are used in this how-to.
I encountered an error when making libesedb:
libcfile_support.c:742:2: error: #error Missing file remove function
Make sure to read the comment from May 6, 2016 for this how-to: it offers a solution for this error. Edit libcfile/libcfile_support.c and add this line at the top:
#define HAVE_UNLINK 1
First we get the Active Directory database file I published and unzip it:
Next we use libesedb (command esedbexport) to export the tables from ntds.dit:
This may take some time, depending on the size of the database.
The exported tables are in folder ntds.dit.export:
Then we use ntdsxtract (command dsusers.py) to export the hashes (LM and NTLM) from the exported tables. First we export the hashes in a format suitable for John the Ripper. We store the files in folder dump. This command also takes the SYSTEM registry hive (file system) to extract the system key to decrypt the hashes.
We let the command create the folder dump:
Next the tool detects 2 schemas in the exported tables (objects 5 and 1480). First we try schema object 5:
This fails:
So we start again with schema object 1480, but first we need to remove the dump folder:
Now you can find the extracted hashes (lm.john.out and nt.john.out) in folder dump:
Next we repeat the same command but export hashes in a format suitable for hashcat:
Now you can find the extracted hashes (lm.ocl.out and nt.ocl.out) in folder dump:
If you want these hash files to crack the passwords without having to run through this how-to, you can download them here:
ntds-hashes.zip (https)
MD5: B0A84D756C211A97087BA307F0CE5739
SHA256: 009520798DD34831C47ADAC47D6DEB3C153FC44BD9D400A0BB813EBA46728D86
Didier Stevens 