psexec_command: Not Your Daddy’s Psexec

psexec_command: Not Your Daddy's Psexec

Recently I was on a penetration test where I was able to create a domain account and escalate it to the level of enterprise admin within the organization. My normal approach is to dump the hashes from the domain controller in case my account is identified and disabled. I can usually complete the task within a few minutes using smbexec’s, Domain Controller hash grab function. In this specific instance they had disabled the Volume Shadow copy service and RDP. Knowing the level of access I already had would allow me to start the service, I quickly fired up the Metasploit framework to utilize the psexec_command module.

The psexec_command module allows a user with proper credentials to run commands against a system similarly to the sysinternals psexec. The following is how I used the module to start the services, obtain the ntds.dit and sys files from the domain controller and put the system back as I encountered it by only using the psexec_command module.

This screen shot shows my test Windows 2003 domain controller with the VSS service disabled. At this point any attempts to create a volume shadow copy is unavailable. Even commands such as vssadmin are not available.

blog-01

You can test this using psexec_command with the ‘vssadmin list shadows’ command. As you can see in the output below, the service is in fact disabled.

blog-02

It will take a couple of commands to get the service started and ready to create a volume shadow copy. This first thing you’ll want to do is change the service start up type and then you can start the service.

blog-03

blog-04

The Volume Shadow Copy service is now running and ready for looting.

blog-05

At this point you have a few options, I tend to use smbexec’s hash grab function. I am comfortable with the tool, and biased, simply because I wrote it. However, there is another awesome module also written by r3dy called ntds_grab. This hasn’t officially made it into the framework yet, but I don’t think it will be long before it is.

The great thing is if you don’t have access to either of these tools, you can do it right from the psexec_command module itself as illustrated below.

First you’ll issue the command to create the volume shadow copy for the drive that contains the ntds.dit file. This is most commonly C:\Windows\NTDS\ but I have seen it on many different drives and directories. Easiest way to find it is to mount a share and look for the NTDS directory.

blog-06

With your volume shadow copy created you now need to obtain the ntds.dit file from the server. This is easily done using the built-in Windows command ‘copy’ to copy the file to a destination of your choosing on the remote system. You need the value of the ‘Shadow Copy Volume Name’ and append the path to the ntds.dit file. In our example it would be the following:

\\?\GLOBALROOT\Device\HardDiskVolumeShadowCopy5\Windows\NTDS\ntds.dit

It is also important that you take note of the ‘Shadow Copy ID’ as we will use that later to remove the shadow copy we created, when we set the Domain Controller as we originally found it.

The following command will save a copy of this file to the C:\Windows\Temp directory. Please note the extra \’s in order to ensure the proper command is executed on the Domain Controller.

blog-07

To obtain the hashes from the ntds.dit database you also need to obtain the SYSTEM registry key which can also be done with a native Windows program reg.exe. The command below saves a copy of the SYSTEM hive to the Windows Temp directory as a file called sys.

blog-08

We can now mount a drive to the C$ share from our system and move the files to our local machine. It is imperative that you delete these files from the Domain Controller after you have copied them locally. At this point there are tools such as libesedb and NTDSXtract that will make quick work of getting you the Active Directory hashes.

 Now it is time to set everything back to the way we found. It is important that an initial examination of the Domain Controller does not reveal the tasks we completed.. This will not hold up under deeper scrutiny, but I feel is extremely important as most individuals will simply look at how things “appear” on the surface.

 The following screen shots explain how to delete the volume shadow copy created during the process stop the VSS service and set it back to a Disabled startup type.

blog-09

blog-10

blog-11

At this point we’ve looted the keys to the kingdom all via native Windows commands using the psexec_command module. Now it’s time to have fun cracking the passwords and leveraging other accounts you’ve pilfered.

In order to make the set up and tear down quicker and easier, I’ve created two resource files that can be leveraged:

vss-start.rc

vss-stop.rc

Happy Hunting!

2 Comments

  1. Dumping Windows Credentials | Securus Global Blog December 20, 2013 3:53 am 

    […] that you could also use the Windows built-in tool vssadmin (as in this howto), however vssadmin will not get you a “consistent” snapshot whereas ntdsutil is the correct […]

  2. brav0hax January 11, 2013 7:49 am 

    In a reply to a Reddit post, here are screenshots of this same technique against a Win2K12 server.

    Please note there are plenty of way to stop this, but we rarely see them implemented, even when we plead with our customers to do it!

    https://www.box.com/s/bnk1awc2kqw0k677uycf

Leave a comment

Your email address will not be published. Required fields are marked *


five × = five