In the previous article, we mainly talked about physical access and how to export HASH to local computers. With the development of enterprise and cloud management, most small and medium-sized enterprises have begun to push wide areas, it should be said that the domain has been popularized in foreign countries, and it will probably only be used by foreign companies and large companies in China. However, we often encounter domains in our daily work. This series II will talk about Domain HASH.
Before that, we must first understand the following concepts:
What is an Active Directory )?
Referenced from Baidu Encyclopedia:
"Active Directory is a Directory service for Windows Standard Server, Windows Enterprise Server, and Windows Datacenter Server. (Active Directory cannot run on Windows Web Server, but can be used to manage computers running Windows Web Server .) Active Directory stores information about network objects and allows administrators and users to easily find and use the information. Active Directory uses a structured data storage method, which serves as the basis for logical hierarchical organization of Directory information ." After reading the above introduction, I don't know what an Active Directory is. Generally, except for the concept administrator, I can't understand what this kind of concept is very strong and abstract. If it is not rigorous and simple, Active Directory (AD) is the basis for running domain control and DNS in the internal network. domain control is only a control machine, it runs in AD with DNS and other services. If you still do not understand it, we recommend that you build a domain to try it.
Speaking of the topic, how can we get the HASH after encountering AD?
In the domain, the HASH has NTDS. NTDS. DIT is a binary file, which is equivalent to a local computer's SAM file. Its storage location is % SystemRoot % \ ntds \ NTDS. DIT. It contains not only Username and HASH, but also OU and Group.
Like the SAM file, this file must be locked by the system, Windows Server
2008, we can use ntdsutil snapshot to copy this file. The relevant MSDN documentation is as follows:
Http://technet.microsoft.com/zh-cn/library/cc753609 (v = ws.10). How does aspx detach HASH from NTDS. DIT?
If you want to make it simpler, you can use Windows Password Recovery tool, but it is billed.
Earlier, Csaba was used for HASH separation tools.
The ntds_dump_hash.zip file written by barta.com is invalid.
Now the latest tool is NTDSXtract. I will not talk much about how to separate it. FreeBuf has an article about the portal.
Highlights
If you don't want to download NTDS. DIT, you still have a lot of tools to choose from. This tool has advantages and disadvantages, of course. Foreigners have a tool evaluation list,I sorted out and added some content based on him..
Finally, I would like to thank T00LS for the guidance of a great ox and an old man of Firefox on this article.
Part 2 ends.