Just added a tool for offline Active Directory password hash extraction.

It has very basic functionality right now but much more is planned.

Usage is very simple and only requires 2 parameters.

ntds_decode <SYSTEM> <ntds.dit>

SYSTEM is registry hive and ntds.dit is the database, both from a domain controller.

These files are obviously locked so you need to backup using the Volume Shadow Copy Service.

The output format is similar to pwdump and only runs on Windows at the moment.

LM and NTLM hashes are extracted from active user accounts only.

ntds_decode mounts the SYSTEM file so Administrator access is required on the computer you run it on.

If you’re an experienced pen tester or Administrator that would like to test this tool, you can grab from

It’s advisable you don’t use the tool unless you know what you’re doing.

Source isn’t provided at the moment because it’s too early to release.

If you have questions about it, feel free to e-mail the address provided in README.txt