Active Directory
DCSync
Remote with secretsdump
NTDS, SAM, SYSTEM
Make a shadowcopy first via diskshadow.exe and copy out "c:\windows\ntds\ntds.dit":
When getting weird line endings errors, put everything in a txt file and run diskshadow /s . Alternatively you can create the shadowcopy via:
Then you can use the Path, e.g. \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
to access it and copy out \windows\system32\config\SAM and \windows\system32\config\SYSTEM.
Dump:
SAM/System can also be dumped via registry:
Krbtgt hash on DC
Last updated