Attacks to Windows Domains
Attacking windows can be easy if we consider the huge amount of tools available on the internet, but also that a knowledge of Domain structure is required for successfully compromise the victims.
A good PDF to find information about hash dumping and cracking is here
Scanning
The scanning part starts with nmap as usual but needs the help of other tools too. For this task we want to draw the Diagram of the Domains.
* according to what i saw in the past, when you have 1C and not a MSBROWSE then it means I dont have anything under that computer in the tree.
Dumping Passwords
PassCracking
Bernardo Damele's blog writes good stuff about dumping the SAM file. However, I want to report a list of tools that I used in the past:
DTH
A good PDF to find information about hash dumping and cracking is here
Scanning
The scanning part starts with nmap as usual but needs the help of other tools too. For this task we want to draw the Diagram of the Domains.
- nmap
- --scritpt smb-os-discovery look for the FQDN to build the tree of the domains
- --scritpt ldap-rootdse (you need to download the full nmap version and compile it locally. You can also not install it and just run it in a folder). Here you find the value for "ldapServiceName" that is useful to find what not found with nbtscan or using just the module smb-os-discovery.
- All together: nmap -sS -sU -p 389,445 --script ldap-rootdse, smb-os-discovery XXX.XXX.XXX.XXX-XXX
- nbtscan (use -f flag for a complete view)
- DC
- It has 1C is a DC*
- if _MSBROWSE_ is the “primary/authorative DC” (or the 1st domain was created)*
- Workstation
- It has just _MSBROWSE_ (without 1C), so it belongs to a Workgroup
- Computer that belongs to a domain
- It doesn't have _MSBROWSE_ or 1C field
- nbtstat
- enum4linux
- ./enum4linux.pl -U -d -u ComputerName\\user -p password 192.168.X.XX
* according to what i saw in the past, when you have 1C and not a MSBROWSE then it means I dont have anything under that computer in the tree.
Dumping Passwords
- WCE
- Mimikats: needs to be run on the victim's machine since it works with local files. Example of use here
- gsecdump
- fgdump
- hashdump
Cached Credentials
- msf
- Cachedump module: returns two types of formats: one can be mscash and the other mscash2. When then using john the ripper you need to specify --format=mscash. In Linux you can use this flag only if you installed john the ripper jumbo version. In windows you can download the exe version of john or use Caine. Apparently this last method takes longer and requires a little configuration before starting the attack. See here for further information about the windows approach with Caine.
- gsecdump
- cachedump
PassCracking
Bernardo Damele's blog writes good stuff about dumping the SAM file. However, I want to report a list of tools that I used in the past:
DTH
- msf
- keimpx
- hashspray
Others
- gsecdump
- lsadump
- lsasecrets