ADDumper - v0.1 (alpha)
ADDumper is an offline Active Directory data dumper.
I am still working on this tool so there are probably lots of bugs.
Anyway, I already find it useful.
How to use:
- Reboot a domain controller in Directory Restore mode.
- Backup NTDS.DIT.
- Run ADDumper.
- Delete all LOG, EDB and CHK files from the %SYSTEMROOT%\NTDS folder. If you
used the %SYSTEMROOT%\NTDS folder as your temporary folder then the tool
cleaned up all these files for you.
- DataTable - the goods
- Link_Table - ???
- HiddenTable - ???
- SDPropTable - ???
- MSysDefrag1 - ???
- datatable_2000_map.txt - Some interesting fields in the Windows 2000 AD structure.
- datatable_2000_small_map.txt - Same as above but lots of empty fields removed.
- generic_map.txt - No table specific columns are defined here, can be used to probe unknown structures.
- Generally you do not need to run this tool on the domain controller. You can just copy the ntds.dit
file to another machine and run it from there by specifying the database path in the parameters.
This works very well with Windows 2000 database, you can even copy your own esent.dll file
with the ntds.dit file and it should work.
I was unable to open Windows 2003 databases from my XP workstation this way but other OS combinations might work.
- Make sure you specify the proper map file. If uncertain use the generic map file.
- I noticed that in certain rare cases the ntds.dit file gets corrupted and the
tool is unable to open it afterwards. Restore from your backup in this case and
try again, it might work.
Support forum here.