Description: Dumping AD Hashes Without Process Injection
Russ Swift
@0xsalt
I will be presenting on methods of dumping active directory password hashes from a domain controller by using the Volume Shadow Copy Service or direct disk access to make a copy of the NTDS.dit, SYSTEM and SAM files from a running DC. I will give a history of old methods and detail new methods and ideas for detecting them.
- evolution of getting password hashes
- current and new methods
- tools and credentials prep
- getting your tools onto the dc
- volume shadow copy service
- powersploit ninjacopy direct disk access
- export and extract
- crack them
- pass them
- detect vssown / ninjacopy activity?
Russ is a security practitioner in the greater Los Angeles area with ten years of experience providing security
engineering, pentesting and consulting services to Fortune 100 finance and entertainment companies. Russ has
developed information security courseware for pentesting and training companies and is currently a SANS research and curriculum advisor. Russ has pentesting experience in the areas of network infrastructure, Active Directory, wireless and antivirus evasion.
For More Information Please Visit:- http://www.securitybsides.com/w/page/36552449/BSidesLosAngeles
Tags:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.