In this post, I am aiming to learn more about Domain Password Audit Tool (DPAT).
According to DPAT's GitHub page, this tool "is a python script that will generate password use statistics from password hashes dumped from a domain controller and a password crack file such as hashcat.potfile generated from the Hashcat tool during password cracking".
Considering the above, we need to get the passwords from the domain controller and feed that to hashcat or in my example John The Ripper (JTR) before we can feed the output to DPAT.
Well let's get going.
To gain access to the Windows NTDS.dit file, we will connect remotely to Windows Server 2019 via PSRemoting. PSRemoting is enabled by default on Windows Server. Alternatively, you may use "enable-psremoting" via Powershell to enable it.
From the Windows Domain Controller we can take advantage of Test-Wsman to verify PS-Remoting is enabled. WSMAN is short for Web Services Management Protocol.
PS C:\Users\Administrator> Test-WSMan -Verbose wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd ProductVendor : Microsoft Corporation ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0
That is cool but we want to access it remotely. Let's try this now from my Windows 10 device which is connected to the securitynik.local domain.
PS C:\users\SecurityNik> Test-WSMan -ComputerName secnik-2k19 -Authentication Default wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd ProductVendor : Microsoft Corporation ProductVersion : OS: 10.0.17763 SP: 0.0 Stack: 3.0
Let's transition now to execute the "ntdsutil" command to grab a copy of AD database. We first use the "Enter-PSSession" command to connect to the remote server. Once connected, we execute "hostname" to confirm the host we have connected to, followed by "whoami" to confirm the user.
PS C:\users\SecurityNik> Enter-PSSession -ComputerName secnik-2k19.securitynik.local -Authentication Default [secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> hostname secnik-2k19 [secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> whoami securitynik\securitynik
Now for "ntdsutil" let's find the database instances which currently exists.
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> ntdsutil "List Instances" C:\Windows\system32\ntdsutil.exe: List Instances Instance Name: NTDS LDAP Port: 389 SSL Port: 636 Install folder: C:\Windows\NTDS Database file: C:\Windows\NTDS\ntds.dit Log folder: C:\Windows\NTDS NTDS Mode : Active Directory Domain Controller Mode C:\Windows\system32\ntdsutil.exe: [secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents>
Let's now activate the "NTDS" Instance.
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> ntdsutil "Activate Instance NTDS" C:\Windows\system32\ntdsutil.exe: Activate Instance NTDS Active instance set to "NTDS". C:\Windows\system32\ntdsutil.exe:
Next up, extend the existing command by leveraging the "ifm" command to create a full installation media of the NTDS instance and save it in a folder "c:\tmp" on the secnik-2k19 server.
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> ntdsutil "Activate Instance NTDS" "ifm" "create full c:\tmp" C:\Windows\system32\ntdsutil.exe: Activate Instance NTDS Active instance set to "NTDS". C:\Windows\system32\ntdsutil.exe: ifm ifm: create full c:\tmp Creating snapshot... Snapshot set {57102033-942a-43ef-841b-4b975fbe0c53} generated successfully. Snapshot {cfb56d3b-7c27-4176-a6e4-e5b75610916c} mounted as C:\$SNAP_202008031318_VOLUMEC$\ Snapshot {cfb56d3b-7c27-4176-a6e4-e5b75610916c} is already mounted. Initiating DEFRAGMENTATION mode... Source Database: C:\$SNAP_202008031318_VOLUMEC$\Windows\NTDS\ntds.dit Target Database: c:\tmp\Active Directory\ntds.dit Defragmentation Status (omplete) 0 10 20 30 40 50 60 70 80 90 100 |----|----|----|----|----|----|----|----|----|----| ................................................... Copying registry files... Copying c:\tmp\registry\SYSTEM Copying c:\tmp\registry\SECURITY Snapshot {cfb56d3b-7c27-4176-a6e4-e5b75610916c} unmounted. IFM media created successfully in c:\tmp ifm: C:\Windows\system32\ntdsutil.exe:
Let's now confirm the contents of the "c:\tmp" directory.
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> dir C:\tmp\
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> dir C:\tmp\ Directory: C:\tmp Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 8/3/2020 1:18 PM Active Directory d----- 8/3/2020 1:18 PM registry
Nice we got two folders. Let's now compress these into one archive file using the Powershell's "Compress-Archive" cmdlet.
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> Compress-Archive -Path c:\tmp\* -DestinationPath c:\tmp\ntds.zip -CompressionLevel Fast est -Force -Verbose VERBOSE: Preparing to compress... VERBOSE: Performing the operation "Compress-Archive" on target " C:\tmp\Active Directory C:\tmp\registry". VERBOSE: Adding 'C:\tmp\Active Directory\ntds.dit'. VERBOSE: Adding 'C:\tmp\Active Directory\ntds.jfm'. VERBOSE: Adding 'C:\tmp\registry\SECURITY'. VERBOSE: Adding 'C:\tmp\registry\SYSTEM'. Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 8/3/2020 1:18 PM Active Directory d----- 8/3/2020 1:18 PM registry
Confirming the file was successfully created.
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> dir C:\tmp\ntds.zip Directory: C:\tmp Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 8/3/2020 1:25 PM 5497917 ntds.zip
To get the "ntds.zip" file off off the system, let's use "net use" command to map a drive and copy the file. As we map the drive, we see this is reported as completed successfully.
D:\TOOLS>net use M: \\10.0.0.20\C$ /user:securitynik@securitynik.local Enter the password for 'securitynik@securitynik.local' to connect to '10.0.0.20': The command completed successfully.
We can further conform this by executing "net use" once again, without any additional arguments.
D:\TOOLS>net use New connections will not be remembered. Status Local Remote Network ------------------------------------------------------------------------------- OK M: \\10.0.0.20\C$ Microsoft Windows Network The command completed successfully.
Let's now copy the "ntds.zip" file unto our local system and confirm its existance.
D:\TOOLS>copy M:\tmp\ntds.zip . 1 file(s) copied. D:\TOOLS>dir ntds.zip Volume in drive D is Tools Volume Serial Number is F617-3FDD Directory of D:\TOOLS 2020-08-03 04:25 PM 5,497,917 ntds.zip 1 File(s) 5,497,917 bytes 0 Dir(s) 108,181,012,480 bytes free
Good stuff!! At this point, we have access to the "ntds.dit" file which holds the AD credentials.
Let's now move on to un-ziping the "ntds.zip" file with the ultimate aim of obtaining the hashes. To make this task easier, let's leverage the Impacket suite of Python scripts.
kali@securitynik:~$ unzip ntds.zip -d ntds Archive: ntds.zip warning: ntds.zip appears to use backslashes as path separators inflating: ntds/Active Directory/ntds.dit inflating: ntds/Active Directory/ntds.jfm inflating: ntds/registry/SECURITY inflating: ntds/registry/SYSTEM
After extraction, Impacket to the rescue.
kali@securitynik:~/ntds$ ~/impacket/examples/secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL -outputfile ntds.hashes -history kali@securitynik:~/ntds$cat ntds.hashes Impacket v0.9.22.dev1+20200728.230151.48a3124c - Copyright 2020 SecureAuth Corporation [*] Target system bootKey: 0xd246c7f512f50bc6444d77d31b34ba98 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [*] PEK # 0 found and decrypted: 21eb5b3777772c58c5e1bd65ad66e76b [*] Reading and decrypting hashes from Active Directory/ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SECNIK-2K19$:1000:aad3b435b51404eeaad3b435b51404ee:b7b7c33ea8994be1ebd4f47202c3a9b6::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:46ab1a2346b3ac6693d72b17691d5f77::: securitynik.local\nik:1103:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026::: securitynik.local\nakia:1104:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026::: ... <TRUNCATED FOR BREVITY> ... securitynik.local\securitynik:des-cbc-md5:32450b15e026d6e9 SECURITYNIK-WIN$:aes256-cts-hmac-sha1-96:1e67390661aeb7fe7e7006a1002e98d8b1d9b67239a67c2d2de9e3ec85215632 SECURITYNIK-WIN$:aes128-cts-hmac-sha1-96:33e9b147797864ca6e5a8c94ebece17d SECURITYNIK-WIN$:des-cbc-md5:613d9e34a468e343 [*] Cleaning up...
Among the files the above creates, is "ntds.hashes.ntds". This file with hashes can now be provided to our tool of choice. I will use John the Ripper. However, do note DPAT also supports Hashcat also.
kali@securitynik:~/ntds$ sudo john ntds.hashes.ntds --format=nt Using default input encoding: UTF-8 Loaded 26 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3]) Warning: no OpenMP support for this hash type, consider --fork=2 Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status Almost done: Processing the remaining buffered candidate passwords, if any. Warning: Only 4 candidates buffered for the current salt, minimum 24 needed for performance. Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist (Guest) Testing1 (Administrator) Testing1 (securitynik.local\nik) Testing1 (securitynik.local\nakia) Testing1 (securitynik.local\neysa) Testing1 (securitynik.local\saadia) Testing1 (securitynik.local\admin) Testing1 (securitynik.local\securitynik) Proceeding with incremental:ASCII ....
Upon executing "./dpat.py" with the relevant arguments, we get:
kali@securitynik:~/DPAT$ sudo ./dpat.py --ntdsfile ../ntds/ntds.hashes.ntds --crackfile john.pot The Report has been written to the "_DomainPasswordAuditReport.html" file in the "DPAT Report" directory Would you like to open the report now? [Y/n]N
I selected "N" as I wanted to see what is in the "DPAT Report" directory. Below we see the contents which were available for my system.
kali@securitynik:~/DPAT/DPAT Report$ ls 0length_usernames.html 3reuse_usernames.html password_history.html top_password_stats.html 0reuse_usernames.html 4reuse_usernames.html password_length_stats.html users_only_cracked_through_lm.html 1reuse_usernames.html 'all hashes.html' password_reuse_stats.html 2reuse_usernames.html _DomainPasswordAuditReport.html report.css
Time to use Firefox to look at the "_DomainPasswordAuditReport.html" file.
kali@securitynik:~/DPAT/DPAT Report$ firefox _DomainPasswordAuditReport.html &
Above, we see the summary information.
Similarly, we can get information on top password use stats, etc. Feel free to click the "Details" to learn more.
Alternative way of getting passwords with VSSADMIN
We achieved our objective above. However, an alternate way of getting credentials is via the Volume Shadow Copy Service. This is how tools such as Metasploit dump the Active Directory hashes.
PS C:\Tools> Enter-PSSession -ComputerName secnik-2k19.securitynik.local -Authentication Default [secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents>
Let's first use "vssadmin" to see if any shadow copies currently exists.
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list shadows vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. No items found that satisfy the query.
Next let's list the volumes
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list volumes vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. Volume path: \\?\Volume{fd091226-0000-0000-0000-100000000000}\ Volume name: \\?\Volume{fd091226-0000-0000-0000-100000000000}\ Volume path: C:\
Taking a peak at the providers
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list providers vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. Provider name: 'Microsoft File Share Shadow Copy provider' Provider type: Fileshare Provider Id: {89300202-3cec-4981-9171-19f59559e0f2} Version: 1.0.0.1 Provider name: 'Microsoft Software Shadow Copy provider 1.0' Provider type: System Provider Id: {b5946137-7b9f-4925-af80-51abd60b20d5} Version: 1.0.0.7
At this point no copies exist that we can take advantage of. Guess we have to create our own.
Let's check the status of the "VSS" Service
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> Get-Service VSS Status Name DisplayName ------ ---- ----------- Stopped VSS Volume Shadow Copy
We now have to start the "VSS" service, after which we verify it is running.
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> Start-Service vss [secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> Get-Service VSS Status Name DisplayName ------ ---- ----------- Running VSS Volume Shadow Copy
Now that the service is running, let's create a shadow copy.
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin create shadow /for=C: vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. Successfully created shadow copy for 'C:\' Shadow Copy ID: {d93157d0-53e5-4f1b-b378-dc10ed0fb468} Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3
Above, we see this is successful. Additionally, we can confirm this copy exists by listing the shadows as was done above.
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list shadows vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. Contents of shadow copy set ID: {80bcd232-f7b0-4378-884d-8344436a3bd8} Contained 1 shadow copies at creation time: 8/6/2020 8:27:56 PM Shadow Copy ID: {d93157d0-53e5-4f1b-b378-dc10ed0fb468} Original Volume: (C:)\\?\Volume{fd091226-0000-0000-0000-602200000000}\ Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3 Originating Machine: secnik-2k19.securitynik.local Service Machine: secnik-2k19.securitynik.local Provider: 'Microsoft Software Shadow Copy provider 1.0' Type: ClientAccessible Attributes: Persistent, Client-accessible, No auto release, No writers, Differential
Now let's access the NTDS.dit file on the shadow copy by copying it to the "c:\tmp" folder.
[secnik-2k19.securitynik.local]: PS C:\tmp> cmd.exe /c "copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\ NTDS\ntds.dit c:\tmp\ntds.dit" 1 file(s) copied. [secnik-2k19.securitynik.local]: PS C:\tmp> dir c:\tmp\ Directory: C:\tmp Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 8/3/2020 1:18 PM Active Directory d----- 8/3/2020 1:18 PM registry -a---- 8/3/2020 1:04 PM 18874368 ntds.dit -a---- 8/3/2020 1:25 PM 5497917 ntds.zip
Now that the file is in the "c:\tmp" directory, we can access it as we did above. Before closing off, let's disable the VSS service.
[secnik-2k19.securitynik.local]: PS C:\tmp> Stop-Service vss [secnik-2k19.securitynik.local]: PS C:\tmp> Get-Service vss Status Name DisplayName ------ ---- ----------- Stopped vss Volume Shadow Copy
Let's now delete the shadow copy we created and verify no shadow copies exist.
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin delete shadows /for=C: /quiet vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. [secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list shadows vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. No items found that satisfy the query.
Well that's it for this post.
References:
No comments:
Post a Comment