In general 、 Even with administrator rights , Cannot read from the domain controller C:\Windwos\NTDS\ntds.dit file ( The active directory always accesses this file , So the file is forbidden to read ). Use Windows The local volume shadow copy service can obtain a copy of the file .

1. Use shadow copy services ntds.dit

In the active directory , All the data is stored in ntds.dit In file .ntds.dit It's a binary file , The storage location is... Of the domain controller %SystemRoot%ntds\ntds.dit.ntds.dit Contained in the ( But not limited to, ) user name 、 Hash value 、 Group 、GPP、OU And other information related to the active directory . It and SAM file , Be being Windows Operating system locked . This section describes how to export... From the system ntds.dit, And how to read ntds.dit Information in . In general , The system operation and maintenance personnel will use the volume shadow copy service （Volume Shadow Copy Service, VSS） Implement these operations .VSS It's essentially a snapshot （Snapshot) A kind of technology , Mainly used for backup and recovery （ Even if the target file is locked ）.

1.1 adopt ntdsutil.exe extract ntds.dit

ntdsutil.exe Is a command line tool that provides a management mechanism for the active directory . Use ntdsutil.exe, You can maintain and manage the active directory database 、 Control the operation of a single host 、 Create application directory partition 、 Remove the installation wizard from an unused Active Directory (DCPromo.exe） The metadata left by the successfully degraded domain controller . The tool is installed on the domain controller by default 、 You can operate directly on the domain controller , You can also operate remotely on the domain controller through machines in the domain .ntdsutil.exe The supported operating systems are Windows Server 2003、 Windows Server 2008、 Windows Server 2012.

1.2 utilize vssadmin extract ntds.dit

vssadminn yes Windows Server 2008 & Windows 7 Provided VSS Management tools , Can be used to create and delete shadow copies 、 List information about shadow copies （ Can only manage the system Provider Shadow copies created )、 Displays all shadow copy writers installed （writers) And providers （providers), And changing the storage space of shadow copies ( That is to say “diff Space ”) And so on .vssadminn Operation process and ntdsutil similar

1.3 utilize vssown.vbs Script extraction ntds.dit

vssown.vbs Script functions and vssadmin similar .vssown.vbs The script was created by Tim Tomes Developed , Can be used to create and delete shadow copies , And start and stop the shadow copy service . You can execute the script in a command line environment .

1.4 Use ntdsutil Of IFM Create shadow copies

In addition to extracting by executing commands as described above ntds dit, You can also use to create a IFM Way to obtain nsdi. In the use of ntdsutil establish IFM when , Snapshot generation is required 、 load 、 take ntds. dit And computer SAM Copy the file to the destination folder . These operations can also be done through PowerShell or WMI Remote execution

1.5 Use diskshadow export ntds.dit

There is such a description in Microsoft's official documents :“diskshadow.exe This tool can use volume shadow copy services (VSS) Multiple functions provided . In the default configuration ,diskshadow.exe An interactive command interpreter is used , And DiskRaid or DiskPart similar .” in fact , because diskshadow The code is signed by Microsoft , and Windows Server 2008、Windows Server 2012 and Windows Server 2016 All default to include diskshadow, therefore ,diskshadow It can also be used to operate the volume shadow copy service and export ntds dit.diskshadow With the function of vshadow similar , And also located in C:windows\system32\ Under the table of contents . however ,vshdow Is contained in Windows SDK Medium , In practical application, it may be necessary to upload it to the target machine .
diskhadow There are interactive and non interactive modes . When using interactive mode , You need to log in to the graphical management interface of the remote desktop . Whether interactive or non interactive , You can use exee Call a script File to execute related commands .

1.6 Monitor volume shadow copy service usage

By monitoring the usage of volume shadow copy services , It can discover some malicious operations of the attacker in the system in time .

• Monitor the volume shadow copy service and any active directory database files involved (ntds.dit) Suspicious operation behavior .
• monitor System Event ID 7036( The flag that the volume shadow copy service enters the running state ) Suspicious instances of , And how to create vssvc.exe Process events .
• Monitoring creates dkshndko.exe And related child processes .
• Monitor the data in the client device diskshadow.exe Instance creation event . Unless the business needs , stay Windows Should not appear in the operating system diskshadow.exe. If you find that , It should be deleted immediately .
• Monitor emerging logical drive mapping events through logs .

2. export ntds.dit Hash value in

2.1 Use esedbexport recovery ntds.dit

download libesedb

2.2 Use impacket The toolkit exports hash values

2.3 stay windows Next analysis ntds.dit And export the domain account number and domain hash value

Use NTDSDumpex.exe You can export hash values .NTDSDumpex take ntds.dit、SYSTEM and NTDSDumpex.exe Record on the same day , Open the command line environment , Enter the following command , Export domain account and domain hash value

3. utilize dcsync Get the domain hash value

3.1 Use mimikatz Dump domain hash values

mimikaz There is one deyne function , You can use the volume shadow copy service to read directly ntds.dit File and retrieve the city hash value . It should be noted that , You must run with domain administrator privileges mimikatz Before it can be read ntds.dit.

3.2 Use dcsync Get the domain account and domain hash value

Invoke _DCSync.ps1 You can use desync Direct reading ntds.dit, To get the domain account and domain hash value

4. Use MSF Get the domain hash value

It uses psexec_ntdsgrab modular

5. Use vshadow.exe and QuarksPwDump.exe Export domain account and domain hash value

In a normal domain environment ,ntds.dit The file contains a lot of information , It's bigger , Inconvenient to save to local . If anti-virus software is not installed on the domain controller , An attacker can enter the domain controller directly , export ntds.dit And obtain the domain account and domain hash value , And there's no need to ntds.dit Save to local .
QuarksPwDump Can quickly 、 Security 、 Fully read all domain accounts and domain hash values .
ShadowCopy Is a free enhancement Type file copying tool .ShadowCopy Using Microsoft's shadow copy technology , Can copy locked files and files opened by other programs .
vshdow.exe It's from Windows SDK Extracted from . In this experiment , install vshadow.exe after , Will be in VSSDK72\TestApps\vshadow Create one in the directory bin file vshadow.xce ( This file can be extracted separately for use ) Put all the documents in domainhash In the folder
stay shadowcopy.bat Set the working directory to C:Windows\Temp( The catalog can be found in shadowcopy.bat Set up your own )
perform shaowopba Script ( The script uses vshadow.exe Generate snapshot ), Copy ntds.dit. then , Use QuarksPwDump Repair ntds.dit And export the domain hash value . After running the script , The exported... Will be stored in the working directory just set ntds.dit and hash.txt（ Contains all domain accounts and their hash values in the domain ）.

This section lists several ways to export user hash values . After getting the hash value , You can use local tools or online tools to crack it . If the local cracking method is adopted , have access to Cain LC7、Opherack、SAMInside、Hashal Tools such as . If online cracking is adopted , in the light of NTLM Hash Our online cracking website is aimed at LM Hash Online cracking website

6. Kerberos Analysis and prevention of domain user privilege raising vulnerability

Microsoft is in 2014 year 1 month 18 An emergency supplement was issued on the th , Repair the Kerhers The right of urban users is leaked (MS14-068 CVE201462424) all Windwos The server operating system will be affected by this vulnerability , Include WindowsServer2003、Windows Server 208 Windows Sever 2008 R2、Windows Server 2012 and Win2012R2. This vulnerability can affect the overall permission control of the active directory , Allows an attacker to elevate the privileges of any user in the city to the domain management level . informally , If the attacker gets the of any computer in the city Shell jurisdiction , Also know the user name used in any city 、SID、 password , You can obtain the permission of city administrator , Then control the domain controller , Finally get domain permissions .
The cause of this vulnerability is : The user is asking Kerberos Miming Distribution Center ( KDC) apply TGT Identity documents generated by the ticket authorization service ) when , You can forge your own Kerberos Notes . If the ticket declares that it has domain administrator privileges , The signature of the bill is not verified when the bill is processed , Then return to the user TGT Let the common domain manage user permissions . The user can put TGT Send to KDC, KDC Of TGS ( Bill authorization service ) In the verification of TGT after , Service ticket (Service Ticket) Send to the user , The user has access to any of the services , This allows attackers to access resources within the domain .

6.1 PyKEK tool kit

pyKEK (Pybon Kerberos Expoiation Kit) It's using Kerberos A toolkit for protocol penetration testing , Use PyKEK You can generate a high authority service ticket , And pass mimikatz Inject the service ticket into memory .

PyKEK Only need to be configured in the system Python 2.7 You can run the environment . Use PyKEK, Can be Python File to executable

6.2 goldenPac.py

goldenPac.py It's a tool for Kerberos Tools for testing , It's integrated in impacket/examples Next .