In a real attack these hashes come from tools like Mimikatz, secretsdump, or ntdsutil.
| Username | Distinguished Name | Groups | NTLM Hash |
|---|---|---|---|
| administrator | CN=Administrator,CN=Users,DC=corp,DC=local | Domain Admins, Enterprise Admins | 9e41538ef7f2d0f7d0a882a668710345 |
| ram | CN=Ram,OU=Students,DC=corp,DC=local | Domain Users | 169e52d4048dd41dc715a8773634990e |
| john.smith | CN=John Smith,OU=IT,DC=corp,DC=local | Domain Users, IT Staff | b56e0b4ea4962283bee762525c2d490f |
| svc_sql | CN=SQL Service,OU=ServiceAccounts,DC=corp,DC=local | Domain Users | f5603806582528dcbd85c58ff552cd6c |
| svc_iis | CN=IIS Service,OU=ServiceAccounts,DC=corp,DC=local | Domain Users | d1a1674cc2138e76e4477654e1e7c1e6 |
Use these hashes in the Pass the Hash lab or crack them with Hashcat/John the Ripper.