Reset DSRM password
Directory Services Restore Mode (DSRM) is a safe mode startup option for domain controllers in Windows domain environments. Each domain controller has a local administrator administrator account, that is (DSRM account). The purpose of DSRM is to allow administrators to restore, repair, and rebuild the active directory database when the domain environment fails or crashes, so that the operation of the domain environment can be restored to normal. In other words, the DSRM account is actually the local administrator account on the domain controller. By default, the DSRM account cannot be used for RDP or remote connection to the domain controller, which is related to the login method of the DSRM account.
The previous basic knowledge of intranet penetration (4) - building a domain environment mentioned that the DSRM password needs to be entered in the installation of the active directory, as shown in the figure
DSRM passwords are rarely changed. Therefore, after obtaining the domain control authority, the security researcher can maintain the authority by changing the DSRM password and modifying the DSRM login method
DSRM attack
After obtaining the domain control authority, you can modify the DSRM password and set the DSRM password as the specified domain user password to maintain the authority.
The experimental environment is as follows:
- Domain control system version: Windows Server 2012 R2
- Domain controller hostname: DC
- Domain controller IP: 192.168.41.10
Modify DSRM password
Execute the ntdsutil command on the domain controller, an interactive input box appears, enter set DSRM password and press Enter, then enter reset pas