Shadow Copy

This method is also called "Volume Shadow Service" and it is Microsoft backup technology capable of creating snapshots of files or entire volumes. Vshadow.exe is provided by Microsoft to manage the volume shadow copies.

Domain Admins have the privilege to create shadow copy and download the AD database called NTDS.dit. Once the database is available all user credentials can be extracted from it.

#Code to download the db
vshadow.exe -nw -p C:

Once the copy is downloaded make a note of the folder into which it is downloaded. The file path is displayed under "Shadow Copy device name".

We also need the system hive to successfully extract the info from the downloaded db. This can be done using the following command,

reg.exe save hklm\system c:\system.bak

Once both the files are available, they can be transfered to the Kali system and impacket can be used to extract the contents. The following command is used for extracting the info,

impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL

The above command should list all users along with their NTLM Hash and kerberos keys. The extracted hash can be used in any of the earlier discussed attacks.