The content of the article
For a successful attack on Active Directory, hijacking workstations and moving across the network, a real hacker does not have to possess user credentials. But sometimes you can’t do without them. And in order to get hold of the account, you need to know where passwords are usually stored in networks with Active Directory and how to get them from there.
All information is provided for informational purposes only. Neither the editors nor the author are liable for any possible harm caused by the information in this article.
Work with ntds.dit
ntds.dit It is a database that stores Active Directory information, such as information about users, groups, and group memberships. The database also includes password hashes for all users in the domain.
The first step is to get a copy of the file
ntds.dit. It is located on the domain controller in the directory
C:WindowsNTDS. But just copying it will not work, since this file is constantly used by EFS in Active Directory, and the operator (pentester, redtimer, attacker or researcher) risks receiving the following error message.
I will talk about two ways to copy this file. The first method uses a PowerShell script, and the second uses copying using the built-in Windows tools.
Script Invoke-ninja copy allows you to copy any files used by Windows services, including
ntds.dit. In this case, the script does not start extraneous services and is not embedded in the processes or context of the System. This tool receives a disk descriptor, which gives it the right to read the raw byte array of the entire volume. The script then analyzes the NTFS structure and looks for a specific signature. Thus it determines where the file is located, and byte copies it. This way you can even read files that LSASS blocks.
In addition, this script is written in PowerShell, therefore it is run from memory, which avoids saving it to disk.
The second way is shadow copying. For this, the vssadmin tool installed in Windows is used. First, create a shadow copy using the following command:
> vssadmin create shadow /for=C:
And now you can copy an unused file from there
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the Xakep.ru community.
Join the Xakep.ru Community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of Xakep.ru