Note
Tested on Windows Server 2016

Reference: https://medium.com/@airman604/dumping-active-directory-password-hashes-deb9468d1633

Set up a Windows Server 2016 instance.

Add some accounts, make some users have the same passwords.

Open a cmd.exe prompt as an administrator.

In the cmd.exe prompt type ntdsutil

Run the following

snapshot
activate instance NTDS
create

This creates a snapshot and shows it’s UUID. Mount the snapshot

mount UUID

This displays where the snapshot is mounted.

Open another cmd.exe prompt as an administrator.

Copy the file ntds.dit

copy C:\$SNAP_LOTSOFNUMBERS_VOLUMEC$\Windows\NTDS\ntds.dit C:\

Create a copy of the SYSTEM registry hive.

reg.exe save HKLM\SYSTEM C:\sys_reg_hive

Copy these files onto a machine with secretdump.py

I used pscp.exe to copy the files to a linux machine that has the following modules installed on it.

pip install pyasn1
pip install impacket

Locate the secretsdump.py file using the command locate secretsdump.py, be sure to do sudo updatedb first.

Change the current directory to where secretsdump.py is located. Copy the sys_reg_hive and ntds.dit files to that directory as well.

./secretsdump.py -system sys_reg_hive -ntds ntds.dit LOCAL > ~/output

This will store the usernames and hashes in the file output

The output will look something like this:

Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies

[*] Target system bootKey: 0x46c41aa449665da035c80088e4274c5c
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 0e096b829e4a01ee1e294d6dba4a8c74
[*] Reading and decrypting hashes from /home/user/hashdump/ntds.dit
Administrator:500:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Guest:501:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
DefaultAccount:503:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
cloudbase-init:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Admin:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
user:1002:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
USER-SERVER1$:1003:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
krbtgt:502:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
test.local\bob:1106:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
USER-SERVER2$:1107:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
[*] Kerberos keys from /home/user/hashdump/ntds.dit
cloudbase-init:aes256-cts-hmac-sha1-96:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
cloudbase-init:aes128-cts-hmac-sha1-96:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
cloudbase-init:des-cbc-md5:XXXXXXXXXXXXXXXX
USER-SERVER1$:aes256-cts-hmac-sha1-96:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
USER-SERVER1$:aes128-cts-hmac-sha1-96:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
USER-SERVER1$:des-cbc-md5:XXXXXXXXXXXXXXXX
krbtgt:aes256-cts-hmac-sha1-96:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
krbtgt:aes128-cts-hmac-sha1-96:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
krbtgt:des-cbc-md5:XXXXXXXXXXXXXXXX
test.local\bob:aes256-cts-hmac-sha1-96:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
test.local\bob:aes128-cts-hmac-sha1-96:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
test.local\bob:des-cbc-md5:XXXXXXXXXXXXXXXX
USER-SERVER2$:aes256-cts-hmac-sha1-96:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
USER-SERVER2$:aes128-cts-hmac-sha1-96:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
USER-SERVER2$:des-cbc-md5:XXXXXXXXXXXXXXXX
[*] Cleaning up...

Here is a bash script to check to see if there are identical hashes.

#!/bin/bash
DEBUG=0

cat output  | grep -v '[*]' | grep ':' | tr ':' ' ' | awk '{print $4 "," $1}' > output1

sort -k1 output1 > output2

USERNAME="not"
HASH="not"
NEW_USERNAME="true"
NEW_HASH="equal"

for LINE in $(cat output2); do
    NEW_HASH=$(echo $LINE | cut -d"," -f1);
    NEW_USERNAME=$(echo $LINE | cut -d"," -f2);
    if [ "$NEW_HASH" = "" ]; then
        if [ $DEBUG -eq 1 ]; then
            echo "skipping line"
        fi
        continue
    fi
    if [ $DEBUG -eq 1 ]; then
        echo "----------"
        echo "Line is $LINE"
        echo "New"
        echo $NEW_HASH
        echo $NEW_USERNAME
        echo "Old"
        echo $HASH
        echo $USERNAME
        echo "----------"
    fi
    if [ "$HASH" = "$NEW_HASH" ]; then
        echo "$NEW_USERNAME and $USERNAME may have the same password!"
        echo -e "\tHash is $HASH";
    fi
    USERNAME=$NEW_USERNAME
    HASH=$NEW_HASH
done