On a Penetration Test, in 1 lawsuit you’ve scored Domain Admin (DA) Access, it’s to a greater extent than oft than non a practiced consider to receive got a human face at the hashes stored inwards Active Directory (AD). Not to the lowest degree because it’ll betoken out all of the weak accounts that you lot missed on your journeying to DA but also because password reuse across accounts may acquire you lot into other systems, such every bit Linux servers or the network infrastructure.
There are a few methods of dumping hashes as well as every PenTester I hold off knows 1 of these, but I’ve included a few every bit it’s ever practiced to receive got a backup plan.
The do goodness hither is that I notice that a surprising orbit out of anti-virus systems volition ignore known malicious files if they’re loaded over an SMB share.
The do goodness hither is that if you’re battling against anti-virus you lot tin brand utilization of Veil-Evasion (from https://www.veil-framework.com/framework/veil-evasion/) to bypass many mutual anti-virus inwards a few exactly steps.
This is a 2 pace process, the commencement is to acquire the NTDS.dit as well as SYSTEM file from the target Domain Controller (DC) which contains the hashes, the minute pace is to extract the hashes.
Grabbing NTDS.dit via Shadow Copy:
as well as grabbing esedbxtract is every bit unproblematic as:
The do goodness hither is that the extraction of hashes is done on the attacker’s auto rather than the domain controller, summation that it uses measure Windows tools as well as so shouldn’t trigger whatsoever anti-virus!
Whatever method you lot use, you lot should halt upward amongst output similar this:
There are a few methods of dumping hashes as well as every PenTester I hold off knows 1 of these, but I’ve included a few every bit it’s ever practiced to receive got a backup plan.
fgdump
The commencement method is the 1 I personally utilization the most; I notice it the simplest means of achieving the goal. Simply upload Fgdump (from http://foofus.net/goons/fizzgig/fgdump/) to the server as well as run it amongst elevated privileges! Personally I utilization RDP for this as well as mountain my local machine’s drive as well as then execute the EXE from the share.The do goodness hither is that I notice that a surprising orbit out of anti-virus systems volition ignore known malicious files if they’re loaded over an SMB share.
Meterpreter’s Hashdump
The minute method is well-nigh every bit slowly as well as has an added anti-virus evasion option. Simply popular a Meterpreter rhythm out on the target organization as well as utilise the “hashdump” command from Meterpreter. You tin do that exactly yesteryear uploading the EXE over RDP every bit above, through the exploitation of a vulnerability or yesteryear using the built inwards PsExec module inwards exploit/windows/smb/psexec.The do goodness hither is that if you’re battling against anti-virus you lot tin brand utilization of Veil-Evasion (from https://www.veil-framework.com/framework/veil-evasion/) to bypass many mutual anti-virus inwards a few exactly steps.
Volume Shadow Copy
The final method I ignored for a long time, the benefits told to me were that it’s to a greater extent than manual as well as so non reliant on tools – I acknowledged this but took the “lazy” approaches inwards a higher identify for the most part; Then of course of written report 1 solar daytime the tools I favour didn’t run as well as I was left amongst no alternative but to intermission out the books as well as acquire this method. By /more manual/, it turns out that it’s actually non so bad at all as well as may buy the farm my preferred method inwards the future.This is a 2 pace process, the commencement is to acquire the NTDS.dit as well as SYSTEM file from the target Domain Controller (DC) which contains the hashes, the minute pace is to extract the hashes.
Grabbing NTDS.dit via Shadow Copy:
vssadmin do shadow /for=C: re-create \\?GLOBALROOT\Device\Harddisk\VolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\ re-create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\Throw those over to your laid upward on auto as well as you lot tin extract the hashes using GrimHacker’s ESEDBxtract tool, available here: https://bitbucket.org/grimhacker/esedbxtract – banker's complaint it depends on libesedb (from https://code.google.com/p/libesedb/) but if you’re utilization of the Fedora Superrace as well as then you lot tin install it with: sudo yum install libesedb
as well as grabbing esedbxtract is every bit unproblematic as:
git clone https://bitbucket.org/grimhacker/esedbxtract.gitUtilising the tool looks a footling like:
python esedbxtract.py -s /home/holly/Engagements/ClientXSep2015/SYSTEM -n /home/holly/Engagements/ClientXSep2015/ntds.dit
The do goodness hither is that the extraction of hashes is done on the attacker’s auto rather than the domain controller, summation that it uses measure Windows tools as well as so shouldn’t trigger whatsoever anti-virus!
Whatever method you lot use, you lot should halt upward amongst output similar this:
Administrator:500:00202880B33825BF41A86CC7FA9D87FE:8774A50C91AD34D922AD7B04E8781B5A:::Which you lot tin feed inwards to a tool similar OphCrack, John the Ripper, or HashCat to scissure dorsum inwards to a plaintext password!
