This software can be used either directly as a CLI utility or as a library to get an SQLite database from an NTDS.DIT one. Encrypted bits can be decrypted if the associated system hive is provided altogether.
python -m pip install ntdsdotsqlite
ntdsdotsqlite NTDS.DIT --system SYSTEM -o NTDS.sqlite
usage: NTDS.sqlite [-h] [--system SYSTEM] -o OUTFILE NTDS
This tool helps dumping NTDS.DIT file to an SQLite database
positional arguments:
NTDS The NTDS.DIT file
optional arguments:
-h, --help show this help message and exit
--system SYSTEM The SYSTEM hive to decrypt hashes. If not provided, hashes will be encrypted inside the sqlite database.
-o OUTFILE, --outfile OUTFILE
The sqlite database. Example : NTDS.sqlite
The SQL model is described in the sql_model.md file in this repository. Basicaly, not all objects are extracted (at all), but the following are retrieved as of today : domain object, user accounts, machine accounts, groups, organizational units and containers. I thought these would be the most useful. If you need more object classes to be extracted or additional attributes, feel free to open an issue or a pull request !
Performances can be a bit low for huge NTDS files. The whole NTDS is not stored in memory to prevent memory exhaustion when working on huge files (NTDS databases can grow to several gigabytes).
FAQs
A small utility to get an SQLite database from an NTDS.DIT file.
We found that ntdsdotsqlite demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Elastic’s return to open source with the AGPL license has been met with skepticism, as many developers see it as a strategic move rather than a genuine effort to restore user trust and freedoms.
Security News
A new "revival hijack" supply chain attack targets deleted Python packages, with an estimated 22K packages at risk. Socket can detect and block hijacked packages that have added malicious code.
Product
We're introducing a new Analytics feature in the Socket dashboard so you can view changes in your organization's and repositories' alerts over time.