financial services SaaS company in LA West Coast: Hiring East Coast: I know a guy 10 years infosec experience SANS Advisory Board For my good friends Mark, Jeff, Scott who will mock me while not understanding a lick of this -- this is not about hash that needs salt, hash that you smoke or hash that you tag someone with. They are not octothorpes. These are hashes that you dump, crack and pass. Thank you for interacting with me like a normal person despite all the 10101110001 I speak.
injection into lsass.exe. DEP interaction causes crash & reboot 2007 "priv hashdump" since metasploit 3.0 : lsass injection injects raw assembly code AntiVirus API hooking causes crash & reboot 2010 "run hashdump" : no injection, needs system direct registry access in memory slow, no evidence, 100% safe must have SYSTEM History
to alternate media and copy files off steal virtual container (GuestStealer v1.1 perl script to steal files via wget path traversal from old esx/vmware server systems) rogue esx / hyper-v admins metasploit run hashdump vss service to copy ntds.dit, system, sam from live system ninjacopy powersploit script
SAM cscript vssown.vbs /list cscript vssown.vbs /delete [id] del ntds.dit & del SYSTEM & del SAM & del vss.vbs & del rar.exe VSS & PSH VSS: compress, copy off system, cleanup
from http://sourceforge.net/projects/libesedb/ Download / extract ntdsxtract from: http://www.csababarta.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip cd libesedb chmod +x configure ./configure && make Download / extract dshashes.py into NTDSXTRACT 1.0 folder from: http://ptscripts.googlecode.com/svn/trunk/dshashes.py Extraction on a linux system configure your tools
patched samba tools, winexe firefox xfreerdp (MS just released kb2871997 to address restricted admin) pth to rdp session w/ no creds in memory (no kb2871997) -OR- credentials are stored in WDigest in plaintext (yes kb2871997) Tools pass the hashes
anomalous network flows leave VSS off by default, alert if it's turned on DLP on DCs correct audit settings on DCs you do have full pcaps of all your egress traffic right?! Detect detect vssown / ninjacopy activity?