Monday, May 28, 2018

Cracking domain password hashes

I don't do a lot of red-teaming, but when I do, I try to tread lightly. This is for two reasons; I'm lazy, I don't like getting phoned up by irate admins if a DC goes down.

I tend to use ntdsutil to dump hashes as soon as I get domain admin, as described here: https://www.vmadmin.co.uk/microsoft/43-winserver2008/171-svr08adddsifm 

This is a Microsoft tool and I've never had it break a DC, where as I have seen some of the other methods take down a domain controller.

At this point, you have a zip file and exfiltrate the data to your laptop.

Using impacket's secretsdump tool, you can then extract the users:


python impacket/examples/secretsdump.py -system Temp\SYSTEM  -ntds Temp\ntds.dit LOCAL -outputfile ifm.ntds


Use -user-status if you want to only show active accounts, and then grep for these.

Grab the allcase.rule file from here: http://www.blacktraffic.co.uk/pw-dict-public/allcase.rule

You may be lucky and find that some of the LM hashes are present, which makes your job that much easier.

Crack the LM hashes first with the following - to try all 7 letter combinations.

hashcat64.exe -m 3000 ifm.ntds -a3 ?a?a?a?a?a?a?a

Then take the output you've got from this and feed it into your NTLM crack as a crib, because we know the NTLM password will be the same but with different case.

hashcat64.exe -m 1000 -a0 ifm.ntds lmoutput.txt -r allcase.rule

Now, you can go ahead and do the normal cracking - grab dictionaries here if you want:

Dicts: http://www.blacktraffic.co.uk/pw-dict-public/dict/
Rules: https://raw.githubusercontent.com/NSAKEY/nsa-rules/master/_NSAKEY.v2.dive.rule 

hashcat64.exe -m 1000 -a0 ifm.ntds Top258Million.txt -r nsav2dive.rule

Of course, you might want to tweak this depending on the password policy.

No comments:

Post a Comment