BSidesLA talk where I explore methods of dumping active directory password hashes from a domain controller by using the Volume Shadow Copy Service or direct disk access to make a copy of the NTDS.dit, SYSTEM and SAM files from a running DC.

I give a history of old methods and detail new methods and ideas for detecting them.

  • evolution of getting password hashes
  • non-injection methods
  • getting your tools onto the dc
  • vss & psh
  • volume shadow copy service
  • powersploit ninjacopy direct disk access
  • export and extract
  • crack them
  • pass them
  • detect vssown / ninjacopy activity

Talk: http://www.youtube.com/watch?v=_ZcAA6ncOG8

Slides: https://speakerdeck.com/0xsalt/dumping-ad-hashes-without-process-injection

https://github.com/0xsalt

https://twitter.com/0xsalt