Extracting Domain Hashes: VSSAdmin

Published: 12 July 2020

We covered extracting domain hashes with Mimikatz previously, but that's not always the best approach - for example where anti-virus is getting in the way. However there are other options for the same goal. This time around we'll take a look at using Vssadmin, a built-in Windows tool.

VSSAdmin is the Volume Shadow Copy Administrative  command-line tool and it can be used to take a copy of the NTDS.dit file - the file that contains the active directory domain hashes.

From a domain controller, either directly or with a tool like PsExec, a shadow copy can be created with this command:

vssadmin create shadow /for=C:

Extracting the ntds.dit file using vssadmin.

The required files can then be copied from the shadow copy, like this:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\

Copying the files from the shadow copy to somewhere accessible, in this case the root of C.

Extracting the hashes locally from the NTDS.dit can be achieved with impacket-secretsdump. Using a command like this:

impacket-secretsdump -ntds ntds.dit -system SYSTEM local

Hashes extracted locally using secretsdump.

(Please excuse the pixelation, I didn't have a convenient lab domain to hand so I dumped the Akimbo domain...don't tell the boss.)

When secretsdump is finished, you'll have a pwdump file which you can crack with a tool like John the Ripper or Hashcat - so maybe check out our article on how get got 420 GH/s with Hashcat and AWS.