Auditing Windows Active Directory for Weak Passwords - Dumping Hashes From Domain Controller

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey what's up you guys welcome back to another video so this time we're looking at active directory we're actually on a domain controller here right now and we're going to show you how to dump out all of the password hashes that are stored on this domain controller and then we can actually take them to other tools like hash cat try to crack them but it makes a great way for you as a sys admin or maybe you're part of an infosec team where you want to audit your environment and see hey what users or what type of passwords or my users using do we have weak credentials in the environment and rather than going through like and doing a password spraying type attack this is a really good way to be able to go through a ton of passwords quickly and see what weak credentials might be in your environment so stay tuned this is going to be a good one all right here we go so we're looking at a windows server 2019 box here and it's already got active directory configured up and running we've got a handful of users here this is our domain controller on this side of the house this is a kali linux system the only thing we're actually going to use out of it is this impact tool suite and if you've watched any of my other active directory exploitation videos you've seen me use impact before if you haven't seen those videos definitely go check them out i've got all kinds of cool content but anyway to to get him packet if this is your first time seeing this you go out to github you can just search for impacted you'll find this repo from here you can just clone it down literally copy this to a git clone paste that in and there's even some installation instructions right here just python pip install do your thing and you're good to go so once you have that installed on your system there'll be this folder in here this examples folder so we've got all these different scripts that we can run but the one that we're interested in is secret stump dot pi so i'm actually going to show you two different ways that we're going to leverage secret stump dot pi the first is i'm going to show you how we can use it remotely to go ahead and try to to export or dump out all of the local ntlm hashes off of that domain controller and that'll give us the user creds for everybody in the domain right so we're going to show you how to do this remotely first so to do that obviously we need to make sure we can even communicate to this system so if i open up a powershell we'll do a quick ipconfig i've got two different addresses here let me copy this one down let's just see if we can even communicate back and forth and we can pings are working we've got communication so now we can go and try to use secret stump.pi and i'm going to say point at just the dc and we'll paste in that ip address now before i hit go on this we're actually going to need to go ahead and give it a username that we want it to authenticate as so this video is targeted to people who are working either as like a sys admin or maybe you're part of an infosec team and you're wanting to do an audit of your environment to see what type of passwords your users are using are they putting you in a vulnerable state by using things like winter 2020 you know our password one two three so we're trying to get these hashes so then we can crack them and see if there's any like low-hanging fruit out there that we need to train our users on so that way they learn how to use better passwords so because of that reason this does require that you have domain admin rights already on the environment that you're working in if you're a pin tester you could totally use this in engagement too as long as it's within scope right so it'd probably be towards the end of your engagement after you've gotten da you just at this point are trying to like prove impact what's the point right like we got the ea but what does that mean well this is one way to show that so to mention who it is we're gonna authenticate as right here you'll throw in the domain throw in the user in my case l james is a domain admin for the nba domain and then just point that at the box you're hitting press enter and you'll be prompted for the password for that l james user punch that in and it didn't work so something didn't work here let's take a look secret stump just ec mba l james at 10110 i believe that's right maybe i had a typo in my password and permission denied something went wrong with this approach maybe we need to run this elevated so i'll do a pseudo in the front of this try this one more time boom check that out so we now have all the hashes dumped out of the system now if you want to see actually going through the process of cracking these hashes i made a video about cracking ntlm v2 hashes which is they are different hashtags than what we're looking at here if you're interested in how to actually crack these specifically and you want to see all of the syntax for hashcat let me know in the comments i might make a video just for that if you'd like but for the scope of this video we'll copy out all these store that into a hash file if we'd like to but this is how you actually dump the hashes remotely once you have da credentials but what if you didn't have um the ability to run this what if you don't have like network connectivity from a cali system to the actual window server or you want to know a way to do this living off of the windows land right so let me show you how we can do it out here back over on our windows server let's show you how we can go and get this locally off the file system say maybe the cali box doesn't have like network connectivity or something like that right so we're going to leverage powershell quite a bit to do this if you try to do it all out of the gui it's just not going to work right for example what we're looking to do is copy down two different files out of this file system both of them are going to live inside the windows installation directory one of them is in system 32 and the other ones in ntds so there's two different files that we need one of them is the file that actually stores the password hashes and then the other is the system hive that actually handles the encryption of the password hashes so we're going to need both of these in order to decrypt the uh i guess like the storage of the hashes so then we can even go and try to try to actually crack those hashes if we can get these two files off the system we can go in and take them over to our cali box and then we'll be able to do uh something similar like we did with secret stump to extract the hashes try to crack them and do all that fun stuff however we do have one challenge if i go into windows already in that let me look for the system 32 folder and then we're looking for config so this is one of the files that we're going to need if i were to just try to copy this and say throw it into like a temp directory hit continue it's actually going to give us an error it's saying that we can't copy it because the the file is open it's actually being used by the operating system so that that raises a challenge for us if you're if you have a backup solution in place you could probably rip this right off the backup system but if you don't we can use shadow copies to go in and take a backup and then since that backup's not going to be used by the operating system we should be able to copy files off of it so the easiest way to do this is to come into powershell i'm going to start by changing into that temp directory just because i like being in that temp directory and then we'll use the following command actually go ahead and take a backup it's just a vss admin create shadow and i don't know if it's really if i should call it a backup it's a shadow copy in windows and then you just specify what directory or what drive you're looking to to create that shadow copy of in our case we're looking to do this on the c drive you may need to specify a different drive letter if you have your operating system installed on a different drive like ours is here on the c drive but if for whatever reason you installed it on like d or e or f or something like that then you'll want to specify that here but cool looks like that was successfully created we now have a new shadow copy at this weird spot perfect so the first thing we want to do is figure out where that shadow copy actually got posted i mean i know it gives us this unc path here but if i were to like try to copy or even just list out the contents of that path it doesn't show us anything so what i found if you actually come into the properties of the c drive you go into previous versions this is where it lists the various shadow copies that you have and this is the one that we just took if i open this guy up now we're actually looking at a different path here that specifies the shadow copy that that we're actually working with so then we can go into windows system32 config and we've got a system folder or i guess a system file right inside of here again though if you try to copy this down you're actually going to run into now permission based issues and whatever instead of dealing with it out of explorer i just found let's use powershell and it works like a charm so let's go into the properties of this file and we can actually see the full path listed right here we just go ahead and select all copy that and now we can do a copy for this file that just has the directory so we'll have to also give it the name which in our case is what was it system i couldn't even remember okay copy that down list the contents of our temp directory check it out we got the system file so the second file that we need is actually in the windows directory still but it's not in system 32 it's ender ntds and it's ntds.dit so in theory should be able to come in here come back into the windows and then do ntds and tds.did perfect so we've got the two files that we need so now go into our temp folder i'm going to go in and take both of these i'm just going to zip them up i sent them to the desktop that's not what i wanted send to compress zip folder and it threw it on the desktop anyway whatever so now um you can transfer these however you want i'm going to use a just like a file share this is my domain controller in my lab environment and so i'm going to copy this and i'm going to paste this in this is already a file share that's actually publicly accessible to everybody on my network so if you're in production don't do this don't copy it to a publicly accessible file share that other people can see again this this folder really has like the keys to your kingdom you want to transfer this and you want to you want to be really careful with this file um but i don't care in my lab environment right i'm a good security guru so i'm just going to go ahead and paste that into that public share and then we'll go and download it from my cali system so we can use smb client to do this and we'll just connect back to what was it 10110 i believe and my share is called share i think that's right let's try to connect yeah it's asking for work group password so we know we got that right okay and then we just need to specify l james is the person we're authenticating with and his super secure password punch that in we're connected and then we can go ahead and say get in tbs.zip or is it get it is get right yeah yes nt yes that's it it's not working let's try this again maybe i need to specify mtds.zip as the output do i have exit real quick oh so i'm in this weird directory i don't have right uh i don't have write permissions inside the op directory right so i'm going to go into documents um videos i think it's videos maybe it's just sorry guys home vids and then this was hashtag okay now we'll do this again and we'll say get nt ds dot zip boom we got it okay so that's what happens when you don't smash the like button for the youtube algorithm it doesn't it doesn't let me download the file guys so please make sure you you hit the like button it really helps the channel out all right cool so let's exit out of here now we have the ntds.zip file this is pretty trivial at this point we just need to go ahead and unzip the file we have two actual files in here and now we're back to running secret stump dot pi if you install it within packet using the pip install thing it should make it to where secret stump dot pi is already in your path so just running that and it actually executes the script you don't have to be in the op directory like i was earlier okay so secret stump.pi we'll specify this time in tds because we actually have the system local um let's make sure we list this out so i can see everything so i'm going to specify the path to my ntds file which is right here and then we'll specify system give it the path to our system hive which is right there tell it that we're using local so it's not trying to go out to any like remote file share remote server and then i'll give it an output file here of hashes.txt fingers crossed it looks like maybe maybe it's going to work reading decrypting and check it out we were able to dump the hashes off the system we also got some extra cool stuff here it looks like we got some kerberos keys i don't recall if we saw that last time or not and it looks like it even gave us different like windows computer system hashes right so like mamba goat those uncle drew those are all domain join computer names those aren't actual users on the system so yeah we got a lot of juicy juicy stuff in here and you can take those hashes offline use hash cat try to crack them if you want to see a video on that just let me know in the comments so we can make a part two otherwise this is uh this is everything i wanted to show you guys so hopefully you like this content if you're new please consider subscribing and i will check you guys out in the next video thanks you

Info

Channel: Infinite Logins

Views: 9,011

Rating: undefined out of 5

Keywords: dump, hashes, domain, controller, active, directory, password, audits, pentesting, internal, network, pentest, ethical, hacking, crack, passwords, hash, capture, capturing, cracking, file, shares, fileshares, files, windows, penetration, testing, hackers, pentesters, security, experts, computer, llmnr, local, attack, vectors, microsoft, ad, Exploit, Windows, Microsoft, Remote, Administration, Trojans, hacker, ethical hacker, penetration tester, hacks, tutorial, kali, kali linux, ethical hacking, cyber, 2020, cyber security, real hacking

Id: ChREiNw54VI

Channel Id: undefined

Length: 15min 12sec (912 seconds)

Published: Tue May 18 2021