There are some excellent tools and techniques available to pentesters trying to convert their local admin rights into domain admin rights. \u00a0This page seeks to provide a reminder of some of the most common and useful techniques as well as rating their effectiveness to suggest which ones to try first.<\/p>\n
The premise of all the techniques is to obtain access to as many domain accounts as possible using the credentials stored on the domain member you’ve compromised.<\/p>\n
Tools are briefly discussed for each technique. \u00a0This page is really about the techniques, though, not the tools. \u00a0While tools will change, I suspect these techniques will be with us for some considerable time yet.<\/p>\n
I’ve tried to rate each technique in order of how much effort it is for the pentester. \u00a0Some technqiues give almost instant results and are therefore worth trying first. \u00a0Others require password cracking and are a last resort really if nothing else works.<\/p>\n
Incognito<\/a>, either as a standalone tool, or via metasploit’s meterpreter<\/a> will scan through all the running processes on the box and list you the delegation tokens it finds. \u00a0Without doing any analysis yourself you can try creating a domain admin account with each token. \u00a0If it succeeds without any effort on your part, so much the better.<\/p>\n If you don’t succeed in getting a domain admin account straight away, you may still be able to abuse the privileges of a normal domain user (e.g. to list domain accounts and group memberships). \u00a0Perhaps try the techniques below before trying too hard…<\/p>\n If any Windows services are running under a domain account, then the passwords for those accounts must be stored locally in a reversible format. \u00a0LSAdump2<\/a>, LSASecretsDump<\/a>, pwdumpx<\/a>, gsecdump or Cain & Abel<\/a> can recover these.<\/p>\n You might have to stare at the output of lsadump and the list of services in<\/p>\n After you’ve correlated plain text passwords from the “_SC_<service name>” sections of LSAdump with the domain usernames from services.msc using the short “service name”, you should a list of domain accounts and cleartext passwords.<\/p>\n Investigate your new found accounts and see if you’re domain admin yet.<\/p>\n Windows Credentials Editor<\/a>\u00a0(a more mature version of the now\u00a0obsolete\u00a0Pass The Hash Toolkit<\/a>) recovers the SAM-style password hash for each\u00a0process\u00a0from LSASS – including domain accounts. \u00a0Initially, this has a similar effect to Incognito. \u00a0But has a couple of advantages:<\/p>\n Gsecdump is an alternative tool for obtaining password hashes for running processes.<\/p>\n If SAM-style hashes aren’t sufficient for some reason, WCE can also steal kerberos tickets<\/a>\u00a0(PDF link)\u00a0– e.g. to authenticate to unix systems. \u00a0Pass-the-ticket as opposed to pass-the-hash.<\/p>\n Dumping the password hashes from the local SAM using fgdump<\/a>, pwdump7<\/a>,\u00a0Cain & Abel<\/a>, etc. won’t necessarily get you a domain account, but if one of the local passwords is the same as one of the domain passwords, you might be in luck. \u00a0Keimpx<\/a>\u00a0will help you try the hashes again the domain accounts.<\/p>\n Careful not to lock the domain accounts out, though!<\/p>\n It’s probably worth spraying the hashes against the local accounts on other systems. \u00a0If you fail to get domain admin, you might get local admin on every other system if the local admin passwords are the same. \u00a0You can then rinse and repeat the techniques on this page until you get your domain admin account.<\/p>\n If you’ve already tried authenticating using the hashes you’ve collected and you’ve tried hashes against other accounts, there’s probably little value in cracking the passwords. \u00a0John the Ripper<\/a>, Cain & Abel<\/a>\u00a0and\u00a0ophcrack<\/a>\u00a0are just a few of the password crackers available.<\/p>\n You might find a pattern in the passwords used. \u00a0Possibly crack hashes from the password history too.<\/p>\n Another reason to crack passwords is if you’re\u00a0targeting\u00a0a service that insists on you\u00a0knowing\u00a0the password – e.g. Terminal Services.<\/p>\n It’s starting to feel like a longshot now…<\/p>\n If the domain member has cached domain logons, you might be able to recover passwords from the corresponding hashes (e.g. using \u00a0fgdump<\/a>,\u00a0pwdumpx<\/a>,\u00a0cachedump<\/a>, meterpreter<\/a>). \u00a0However, hashes are salted and they’re case\u00a0sensitive. \u00a0If there’s a reasonable password policy, you’re going to need some luck.<\/p>\n You can’t use these hashes without cracking them – unlike the SAM-style hashes.<\/p>\n There are of course other many other techniques you could try. \u00a0Some are more open-ended or less likely to succeed in the general case. \u00a0Here are a few ideas:<\/p>\nQuick: Dump LSA Secrets (lsadump)<\/h3>\n
Quick: Dump SAM-Style Hashes for Access Tokens (WCE)<\/h3>\n
\n
Quick: Dump SAM, Spray Hashes<\/h3>\n
Slow: Cracking SAM-Style Password Hashes Crack Passwords<\/h3>\n
Very Slow: Dump Cached Domain Logons, Crack<\/h3>\n
Other Techniques<\/h3>\n