Volume Shadow Service (VSS) and Pentesting

This is pretty cool from a post exploitation and a forensics perspective. Windows systems made after XP (so, Vista+) use a technology called the Volume Shadow Service (VSS), nicknamed called Shadow Copy, that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use.

The default behavior of VSS is to performs a cluster by cluster diffing backup of the volume once per week, and store it in the ‘System Volume Information’ folder at the root of the volume. With administrator privileges, you can access your previous shadow volume copies to ‘go back in time’ and explore the file system at the time of when the snapshot was taken.

You can list all of the shadows using the vssadmin command:

C:\>vssadmin list shadows

vssadmin 1.1 – Volume Shadow Copy Service administrative command-line tool

(C) Copyright 2001-2005 Microsoft Corp.

Contents of shadow copy set ID: {43180557-304b-4365-96ee-91840fb75823}

   Contained 1 shadow copies at creation time: 10/9/2015 4:19:02 PM

   Shadow Copy ID: {8f058f4b-7045-458d-99de-8b1520156e26}

   Original Volume: (C:)\\?\Volume{2310ecc8-23fc-11e4-9aed-806e6f6e6963}\

   Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1

Then, you can make a link to the volume (the trailing “\” is required):

C:\>mklink /d C:\Users\Jake\Desktop\Shadow_Copy1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

symbolic link created for C:\Users\Jake\Desktop\Shadow_Copy1 <<===>> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

This command creates a shortcut file which allows you to explore the file system from the previous date in time.

Okay…so what? How can this help with post exploitation?

Well, you can copy files straight out of the old system, even files that are usually locked down by memory. Also, you may be able to find sensitive data that was conveniently deleted prior to a pen test or a security audit (maybe a passwords.txt file on a user’s desktop)

Other interesting artifacts include:

  • ntds.dit (where the passwords are stored in AD)
  • The SAM database (and any other registry hives)
  • Hyberfil.sys (a complete copy of memory if the system has ever hibernated)

It is also important to note, if you have SYSTEM access via a terminal, you can just copy the interesting files to the target’s file system and then transfer them to your attacker machine.

If you are interested in learning more about exploiting VSS, check out the code for vssown.vbs or additional info from SANS:




Leave a Reply

Your email address will not be published. Required fields are marked *