Shadow copies

To be documented => https://portal.offsec.com/courses/pen-200/books-and-videos/modal/modules/lateral-movement-in-active-directory/active-directory-persistence/shadow-copies

Everything must be done in CMD!!!

Replace vshadow.exe by using the native tool:

vssadmin create shadow /for=C:

When extracting the hashes, the NTLM hash is the last one

joe:1106:aad3b435b51404eeaad3b435b51404ee:08d7a47a6f9f66b97b1bae4178747494:::
peach:1107:aad3b435b51404eeaad3b435b51404ee:4e340266b912685014b98560d274d260:::
mario:1108:aad3b435b51404eeaad3b435b51404ee:8909f22bda647d382e7b448bea350175:::
wario:1109:aad3b435b51404eeaad3b435b51404ee:fdf36048c1cf88f5630381c5e38feb8e:::

eg for peach its 4e340266b912685014b98560d274d260

PreviousGolden Ticket Forgery

Last updated 2 years ago