Post-Exploitation in Windows: From Local Admin To Domain Admin (efficiently)
来源:互联网 发布:阿里云共享计算型主机 编辑:程序博客网 时间:2024/06/11 23:26
There are some excellent tools and techniques available to pentesters trying to convert their local admin rights into domain admin rights. This page seeks to provide a reminder of some of the most common and useful techniques as well as rating their effectiveness to suggest which ones to try first.
The premise of all the techniques is to obtain access to as many domain accounts as possible using the credentials stored on the domain member you’ve compromised.
Tools are briefly discussed for each technique. This page is really about the techniques, though, not the tools. While tools will change, I suspect these techniques will be with us for some considerable time yet.
I’ve tried to rate each technique in order of how much effort it is for the pentester. Some technqiues give almost instant results and are therefore worth trying first. Others require password cracking and are a last resort really if nothing else works.
Very Quick: Duplicate Access Tokens (Incognito)
Incognito, either as a standalone tool, or viametasploit’s meterpreter will scan through all the running processes on the box and list you the delegation tokens it finds. Without doing any analysis yourself you can try creating a domain admin account with each token. If it succeeds without any effort on your part, so much the better.
If you don’t succeed in getting a domain admin account straight away, you may still be able to abuse the privileges of a normal domain user (e.g. to list domain accounts and group memberships). Perhaps try the techniques below before trying too hard…
Quick: Dump LSA Secrets (lsadump)
If any Windows services are running under a domain account, then the passwords for those accounts must be stored locally in a reversible format. LSAdump2,LSASecretsDump, pwdumpx, gsecdump or Cain & Abel can recover these.
You might have to stare at the output of lsadump and the list of services in services.msc before you can correlate the two. Once you do, you have a list of domain accounts and cleartext passwords.
Investigate your new found accounts and see if you’re domain admin yet.
Quick: Dump SAM-Style Hashes for Access Tokens (WCE)
Windows Credentials Editor (a more mature version of the now obsolete Pass The Hash Toolkit) recovers the SAM-style password hash for each process from LSASS – including domain accounts. Initially, this has a similar effect to Incognito. But has a couple of advantages:
- You can authenticate using the hash long after the corresponding process has terminated or the system has been rebooted. Tools like smbshell andmetasploit’s psexec allow you to authenticate using a password hash instead of a password.
- You can try the password hash in conjunction with a different username (or all usernames) usingkeimpx, or similar. You’re hoping for password reuse at this stage.
Gsecdump is an alternative tool for obtaining password hashes for running processes.
Quick: Dump SAM, Spray Hashes
Dumping the password hashes from the local SAM using fgdump, pwdump7, Cain & Abel, etc. won’t necessarily get you a domain account, but if one of the local passwords is the same as one of the domain passwords, you might be in luck. Keimpx will help you try the hashes again the domain accounts.
Careful not to lock the domain accounts out, though!
It’s probably worth spraying the hashes against the local accounts on other systems. If you fail to get domain admin, you might get local admin on every other system if the local admin passwords are the same. You can then rinse and repeat the techniques on this page until you get your domain admin account.
Slow: Cracking SAM-Style Password Hashes Crack Passwords
If you’ve already tried authenticating using the hashes you’ve collected and you’ve tried hashes against other accounts, there’s probably little value in cracking the passwords. John the Ripper,Cain & Abel and ophcrack are just a few of the password crackers available.
You might find a pattern in the passwords used. Possibly crack hashes from the password history too.
Another reason to crack passwords is if you’re targeting a service that insists on you knowing the password – e.g. Terminal Services.
It’s starting to feel like a longshot now…
Very Slow: Dump Cached Domain Logons, Crack
If the domain member has cached domain logons, you might be able to recover passwords from the corresponding hashes (e.g. using fgdump, pwdumpx, cachedump,meterpreter). However, hashes are salted and they’re case sensitive. If there’s a reasonable password policy, you’re going to need some luck.
You can’t use these hashes without cracking them – unlike the SAM-style hashes.
Other Techniques
There are of course other many other techniques you could try. Some are more open-ended or less likely to succeed in the general case. Here are a few ideas:
- Trawling the filesystem looking for passwords. Unattend.txt might have an admin password in it if present. You can probably recover the SAM from .vhd files. Other backup files may also yield passwords.
- Trawling the registry. Credentials such as VNC password and SNMP community string can be recovered. They might be useful on your quest for domain admin.
- Protected Storage. This might yield passwords that are reused elsewhere.
- Post-Exploitation in Windows: From Local Admin To Domain Admin (efficiently)
- Post-Exploitation in Windows: From Local Admin To Domain Admin (efficiently)
- How to reset the Domain Admin Password under Windows Server 2003
- 5-ways-to-find-systems-running-domain-admin-processes
- Admin
- admin
- admin
- Failed to load admin-sidebar.xml file from Openfire classes
- How to access Tomcat 8 admin gui from different host?
- Sign Database in admin
- Locked Out from Magento admin?
- How to Hack Windows Admin Passwords (Pdf File)
- Finding Local Admin with the Veil-Framework
- MongoDB管理:慎用local、admin数据库
- MongoDB管理:慎用local、admin数据库
- Create admin user in OpenNebula
- Unable to post the review. &&The user specified as a definer ('admin'@'localhost') does not exist
- How To: Remove Orphaned Web Application Pool Objects from Central Admin
- 一个轻量级的JS框架 Liger UI框架
- rygel和gstreamer调用插件的问题
- java修炼层次
- 使用commons-fileupload-1.2.2.jar插件文件上传
- 15家估值过亿美元的新兴创业公司
- Post-Exploitation in Windows: From Local Admin To Domain Admin (efficiently)
- C语言实现getline()
- U盘离线安装fedora15(参考各种方法)个人尝试可行~~~~
- MyEclipse 更新后返回上一个版本(恢复删除文件功能)
- linux下C编程风格点滴
- Quartz 在 Spring 中如何动态配置时间
- 如何将VS2010的代码提示从英文变成中文
- sql server性能分析--索引使用效率评估
- SQL Server 2008中SQL之WaitFor