Extracting Domain Hashes: VSSAdmin
Author: HollyGraceful Published: 19 October 2020 Last Updated: 03 July 2023
We covered extracting domain hashes with Mimikatz previously, but that's not always the best approach - for example where anti-virus is getting in the way. However there are other options for the same goal. This time around we'll take a look at using Vssadmin, a built-in Windows tool. VSSAdmin is the Volume Shadow Copy Administrative command-line tool and it can be used to take a copy of the NTDS.dit file - the file that contains the active directory domain hashes.
From a domain controller, either directly or with a tool like PsExec, a shadow copy can be created with this command:
vssadmin create shadow /for=C:
Extracting the ntds.dit file using vssadmin.
The required files can then be copied from the shadow copy, like this:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\
Copying the files from the shadow copy to somewhere accessible, in this case the root of C.
Extracting the hashes locally from the NTDS.dit can be achieved with impacket-secretsdump. Using a command like this:
impacket-secretsdump -ntds ntds.dit -system SYSTEM local
Hashes extracted locally using secretsdump.
(Please excuse the pixelation, I didn't have a convenient lab domain to hand so I dumped the Akimbo domain...don't tell the boss.)
When secretsdump is finished, you'll have a pwdump file which you can crack with a tool like John the Ripper or Hashcat - so maybe check out our article on how get got 420 GH/s with Hashcat and AWS.