These hashes are stored in a database file in the domain controller (NTDS.DIT) with some additional information like group memberships and users.
It is very common during penetration tests where domain administrator access has been achieved to extract the password hashes of all the domain users for offline cracking and analysis. The attacker takes the office personnel in confidence and finally digs out the required sensitive information without giving a clue. This relationship can be established online through social networks, chatting rooms, or offline at a coffee table, in a playground, or through any other means. An attacker may befriend a company personnel and establish good relationship with him over a period of time.
