Windows Hash Dumping
From Rory.wiki
Windows Hash Dumping
A standard part of a lot of tests is once you've got access to a domain controller, dumping the hashes from the server. There are a variety of tools that can do the job, but they can get flagged by A-V and in some cases you may not have access to use them. So in these cases how do you get the relevant information off the server.
Handily there's a easy process for this detailed in this post on pauldotcom and in the links from it. As an aside the video has a load of other information about what can be done with VSS and is well worth a watch.
I've summarised a version of it here for reference as some of the info. I found from the video rather than the blog post.
Essentially it relies on the Volume Shadow Service provided by windows to allow you to get access to files from a running server that usually aren't accessible as they're constantly in use by windows.
What you need to do is create a shadow copy of the System drive for the machine, then extract the needed files from the shadow copy and (optionally) remove the shadow copy to clear up.
first to see if there's one already there
vssadmin list shadows
should provide a list of available shadow copies. If there isn't one
vssadmin create shadow /for=C:
should create a shadow copy of the system drive
once you've got one created, in the output of the list command you should see a path like \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 (the last bit may be a number other than one)
So to get the files you need
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit . copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SYSTEM . copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SAM .
this will copy the ntds.dit and SYSTEM and SAM files into your current directory. It's worth noting that ntds.dit will only be present on DCs rather than local machines.
Once you've got your files, it's just a matter of extracting the hashes. The tools to do this run in linux. The instructions are in the linked blog post. Only point to note is that bkhive and samdump2 aren't part of that download but can be installed in ubuntu based distros with
sudo apt-get install bkhive
