Most modern computers are connected to a domain of some sort to allow for resource sharing and shared files. In windows Active Directory a Domain Controller is a server that manages user authentication. Domain Controllers store the password hashes of all domain users in a file called ntds.dit.
It is for this reason that when testing a windows domain, targeting a Domain Controller can be an important part of the attack. Once you have the ntds.dit file, you have obtained a database of some of the most important information you can get and can attempt to crack every user’s password.
Passwords in the ntds.dit file have been hashed with the NT hashing algorithm so can be cracked like any other type of password.
There are multiple methods to attempt to obtain the ntds.dit file. All of which require a domain administrator account or system access to a domain controller. Some of the methods of getting the file are below:
Metasploit
Auxiliar/scanner/smb/impacket/secretsdump
Powershell
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
CrackMapExec
crackmapexec smb <IP> -u <domain admin> -p '<password>' --ntds
Once you have this file, you can use any password cracking tool you wish
