Using Domain Controller Account Passwords To HashDump Domains


Since I follow both Carlos Perez and Benjamin Delpy on Twitter, something caught my eye on August 2nd, soon after Benjamin Delpy drops DCSync:

And then later on August 28th, again about the DC$ account (Domain Controller computer account):

Because DCSync is calling on “sync” based APIs of Active Directory, that are, by default, used only by Domain Controllers, all Domain Controller computer accounts would have the ability to do this as well as the Domain/Enterprise Admins.

Anyone who’s ever administered an Active Directory, knows that computer accounts change their passwords automatically. How often do they change them?

“Machine account passwords are regularly changed for security purposes. By default, on Windows NT-based computers, the machine account password automatically changes every seven days. Starting with Windows 2000-based computers, the machine account password automatically changes every 30 days.”

PSSSST!! That article is about how to DISABLE automatic password changing


Alright. So, I’m not going to go into “how” to get the hashes for a computer account, but if you’ve ever dumped passwords before, the computer accounts are the ones with the “$” on the end. Find the ones that are domain controllers, match up the hashes, and use Impacket’s to your heart’s content. (Or until the password changes for that DC, then you use another one to dump it again, oh, did I not mention that computers don’t change their passwords all at the same time in that 30 day window?)

Remember, Domain Controller’s don’t have a lot of other permissions, so you need to use the “-just-dc” option in SecretsDump in order for it to just do the domain dump:

python -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -just-dc LAB/DC2k8_1\$@

Impacket v0.9.14-dev - Copyright 2002-2015 Core Security Technologies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets

Happy #HackersDay