What you will need:
- Admin Access to your Active Directory
- A linux server with secretsdumps from impacket and hashcat, in this example I had a kali vm
- A Password list, on Kali there should be some here /usr/share/wordlists/ , I used rockyou.txt
Step 1: Dump NTDS Database
On a domain controller run the following:
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
This command will generate two folders in c:\temp , Active Directory and Registry

Step 2: Extact the hashes from the ntds.dit file
Copy/scp your file over to a linux machine and throw it at secretsdump, to extract the hashes
On kali this is what we ran:
impacket-secretsdump -ntds /root/ntds_cracking/ActiveDirectory/ntds.dit -system /root/ntds_cracking/registry/system LOCAL -outputfile ntdshashes.txt
Step 3: Cleanup hashes, this creates a file with the username and ntlm hash for cracking:
cat ntdshashes.txt | cut -d : -f 4 |sort|uniq > cleanhashes.txt
Step 4: Run hashcat against hashes
hashcat -m 1000 cleanhashes.txt /home/zs1/rockyou.txt
View the cracked hashes
cat /root/.hashcat/hashcat.potfile
140e2a025b0a93dc13720d19e935a918:Password3! 7a829d816a477655abe98a8c7de84c99:Password2@ 07d128430a6338f8d537f6b3ae1dc136:Password2! 43460d636f269c709b20049cee36ae7a:Password1@