浅析域密码审计工具DPAT

现在的大中型企业一般都是采取域来管理公司电脑，因为这样子既方便又省力，同时又有很多系统用域账户来做登录验证，其重要性非同小可。DPAT是一个Python脚本，使用oclHashcat工具生成oclHashcat.pot密码字典用于测试域账户然后生成HTML报告。

DPAT使用示例

dpat.py -n customer.ntds -c oclHashcat.pot -g "Domain Admins.txt" "Enterprise Admins.txt"

(”Domain Admins.txt”，”Enterprise Admins.txt”为可选内容)

customer.ntds文件格式如下：

domain\username:RID:lmhash:nthash:::

你可以通过在域控上执行以下命令从获得该文件。只要确保c:\temp有足够的磁盘空间用来存储。所需的空间只需比Ntds.dit文件稍大，因为将执行文件和一些注册表设置的备份。

ntdsutil "ac in ntds" "ifm" "cr fu c:\temp" q q

然后用secretsdump.py这个脚本将内容输出到所需要的格式

secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL -outputfile customer

上面的命令会创建一个“customer.ntds”文件，用于密码破解使用的文件。

oclHashcat文件格式如下：

nthash:password

或者

lmhashLeftOrRight:leftOrRightHalfPasswordUpcased

-g选项后面可以跟着”Domain Admins.txt”，”Enterprise Admins.txt”文件，文件可以是 PowerView PowerShell script的输出结果，例如：

Get-NetGroupMember -GroupName "Domain Admins" > "Domain Admins.txt"

或者从另一个域读取

Get-NetGroupMember -GroupName "Enterprise Admins" -Domain "some.domain.com" -DomainController

"DC01.some.domain.com" > "Enterprise Admins.txt"

该组文件可以是用户

domain\username

使用oclHashcat猜解所有7个字符的密码使用下面的命令：

./oclHashcat64.bin -m 3000 -a 3 customer.ntds -1 ?a ?1?1?1?1?1?1?1 --increment

使用’-h’或’–help’查看DPAT所有可用的选项

usage: dpat.py [-h] -n NTDSFILE -c CRACKFILE [-o OUTPUTFILE]

[-d REPORTDIRECTORY] [-w] [-s]

[-g [GROUPLISTS [GROUPLISTS ...]]]

This script will perfrom a domain password audit based on an extracted NTDS

file and password cracking output such as oclHashcat.

optional arguments:

-h, --help show this help message and exit

-n NTDSFILE, --ntdsfile NTDSFILE

NTDS file name (output from SecretsDump.py)

-c CRACKFILE, --crackfile CRACKFILE

Password Cracking output in the default form output by

oclHashcat, such as oclHashcat.pot

-o OUTPUTFILE, --outputfile OUTPUTFILE

The name of the HTML report output file, defaults to

_DomainPasswordAuditReport.html

-d REPORTDIRECTORY, --reportdirectory REPORTDIRECTORY

Folder containing the output HTML files, defaults to

DPAT Report

-w, --writedb Write the SQLite database info to disk for offline

inspection instead of just in memory. Filename will be

"pass_audit.db"

-s, --sanitize Sanitize the report by partially redacting passwords

and hashes. Prepends the report directory with

"Sanitized - "

-g [GROUPLISTS [GROUPLISTS ...]], --grouplists [GROUPLISTS [GROUPLISTS ...]]

The name of one or multiple files that contain lists

of usernames in particular groups. The group names

will be taken from the file name itself. The username

list must be in the same format as found in the NTDS

file such as some.ad.domain.com\username. Example: -g

"Domain Admins.txt" "Enterprise Admins.txt"