Sunday, March 27, 2016

Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Dumping the AD database

The idea behind this post was me trying to verify how I may be able to detect the dumping of the Active Directory Database (NTDS.dit). Additionally, I had done this lab before but never thought about putting it into a blog. So here I am killing 2 birds with one stone.

The assumption here is that I already have admin access. This is needed for most of the tasks in this series to be successful. Therefore no "exploit" is used as this post is not about using an "exploit". Most times it does not matter if it is the latest exploit or not. At the end of the day, all malicious actors want is the key(s) to the kingdom.

So here we go!
First we load up Metasploit by using "msfconsole". Once Metasploit is loaded, we then use the "psexec" module.













Now that we have setup our "exploit" we then can go ahead and set our payload. In this case we will use the meterpreter.

Once we have set everything we can go ahead and do a "show options" to see what we have. For me everything looked good.

Next up, let's "run"

Wicked Awesome!! Now that we have access, let's perform a "ps" to see which process we can migrate into. For me this is important because I'm using a Kali32 bit installation while attacking a Windows 2008x64 system. Thus I need to migrate into a 64 bit process. The identified process is "2772" which is tied to "conhost.exe"

Good stuff! So we have migrated successfully.

Now that we have migrated to process with PID 2772, let's go ahead and try to grab the AD database.


Nice!!!! we can see from the last line above that the "Operation completed successfully".

Below shows a snapshot of the data retrieved.

Ok! The NTDS.dit database has been successfully dumped, thus we now have access to the data stored in this database.

From what I've gathered, it seems like Volume Shadow Copy Service is not enabled by default on Domain Controllers, thus it seems that looking for events relating to the starting of this service on your DC may be a cause for concern.

When we perform a log analysis on the entire activity which was performed during these labs, we should be able to identify how we may be able to detect this.

See you in the other posts.

Reference:
https://community.rapid7.com/community/metasploit/blog/2015/07/01/safely-dumping-domain-hashes-with-meterpreter

Posts in this series:
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Lab Setup
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Dumping the AD database
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Mimikatz
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Exporting Certificates
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Pass The Ticket (Golden Ticket)
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Skeleton Key
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Log Analysis
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Volatility Memory Analysis

No comments:

Post a Comment