现在的大中型企业一般都是采取域来管理公司电脑,因为这样子既方便又省力,同时又有很多系统用域账户来做登录验证,其重要性非同小可。DPAT是一个Python脚本,使用oclHashcat工具生成oclHashcat.pot密码字典用于测试域账户然后生成HTML报告。
DPAT使用示例
dpat.py -n customer.ntds -c oclHashcat.pot -g "Domain Admins.txt" "Enterprise Admins.txt" (”Domain Admins.txt”,”Enterprise Admins.txt”为可选内容) customer.ntds文件格式如下: domain\username:RID:lmhash:nthash::: 你可以通过在域控上执行以下命令从获得该文件。只要确保c:\temp有足够的磁盘空间用来存储。所需的空间只需比Ntds.dit文件稍大,因为将执行文件和一些注册表设置的备份。 ntdsutil "ac in ntds" "ifm" "cr fu c:\temp" q q 然后用secretsdump.py这个脚本将内容输出到所需要的格式 secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL -outputfile customer 上面的命令会创建一个“customer.ntds”文件,用于密码破解使用的文件。 oclHashcat文件格式如下: nthash:password 或者 lmhashLeftOrRight:leftOrRightHalfPasswordUpcased -g选项后面可以跟着”Domain Admins.txt”,”Enterprise Admins.txt”文件,文件可以是 PowerView PowerShell script的输出结果,例如: Get-NetGroupMember -GroupName "Domain Admins" > "Domain Admins.txt" 或者从另一个域读取 Get-NetGroupMember -GroupName "Enterprise Admins" -Domain "some.domain.com" -DomainController "DC01.some.domain.com" > "Enterprise Admins.txt" 该组文件可以是用户 domain\username 使用oclHashcat猜解所有7个字符的密码使用下面的命令: ./oclHashcat64.bin -m 3000 -a 3 customer.ntds -1 ?a ?1?1?1?1?1?1?1 --increment 使用’-h’或’–help’查看DPAT所有可用的选项 usage: dpat.py [-h] -n NTDSFILE -c CRACKFILE [-o OUTPUTFILE] [-d REPORTDIRECTORY] [-w] [-s] [-g [GROUPLISTS [GROUPLISTS ...]]] This script will perfrom a domain password audit based on an extracted NTDS file and password cracking output such as oclHashcat. optional arguments: -h, --help show this help message and exit -n NTDSFILE, --ntdsfile NTDSFILE NTDS file name (output from SecretsDump.py) -c CRACKFILE, --crackfile CRACKFILE Password Cracking output in the default form output by oclHashcat, such as oclHashcat.pot -o OUTPUTFILE, --outputfile OUTPUTFILE The name of the HTML report output file, defaults to _DomainPasswordAuditReport.html -d REPORTDIRECTORY, --reportdirectory REPORTDIRECTORY Folder containing the output HTML files, defaults to DPAT Report -w, --writedb Write the SQLite database info to disk for offline inspection instead of just in memory. Filename will be "pass_audit.db" -s, --sanitize Sanitize the report by partially redacting passwords and hashes. Prepends the report directory with "Sanitized - " -g [GROUPLISTS [GROUPLISTS ...]], --grouplists [GROUPLISTS [GROUPLISTS ...]] The name of one or multiple files that contain lists of usernames in particular groups. The group names will be taken from the file name itself. The username list must be in the same format as found in the NTDS file such as some.ad.domain.com\username. Example: -g "Domain Admins.txt" "Enterprise Admins.txt"