This chapter covers

• Identifying domain admin users
• Locating systems with domain admin users logged in
• Enumerating domain controller volume shadow copies (VSS)
• Stealing ntds.dit from VSS
• Extracting Active Directory password hashes from ntds.dit

It’s time to explain the final step in the post-exploitation and privilege-escalation phase of an internal network penetration test (INTP). That, of course, is to take complete control of the enterprise network by gaining domain admin privileges in Active Directory. Domain admin users can log in to any machine on the network, provided the machine is managed through Active Directory. If an attacker manages to gain domain admin privileges on an enterprise network, the ...