Local Admin --> Domain Admin ??

Hi there,

I have been trying to expand my knowledge, so I have set a lab with the following configuration:

Fully Patched Windows 2003 Server (Acting as a domain controller)
Unpatched Client Machine (XP), which is joined to the above domain.

Since I have been able to compromise the client machine, I was able to get the local hashes, and have been able to crack them using rainbow tables. My question is there any possible way to get Domain Passwords.

I have read about "CacheDump" tool, which will get the hashes for the last 10 logged in users (something called MSCash), and have been able to get the hashes. However, seems that these hashes cannot be cracked using rainbow table, as they came in the following format:

Code:

---

username:hash(32 chacter):domain:FQDN

---

So any idea on the above scenario ?

Thanks alot in advance,

Quote:

---

have read about "CacheDump" tool, which will get the hashes for the last 10 logged in users (something called MSCash), and have been able to get the hashes. However, seems that these hashes cannot be cracked using rainbow table, as they came in the following format:

---

You do know that these passwords are much more secure than the LM hashes stored in the SAM file, for starters each of the cached hashes has its own salt added which will make them much more time consuming to crack. I do not know about rainbow tables but they can at least be cracked using John the ripper, here is a good tutorial on this from Irongeek:
http://www.irongeek.com/i.php?page=security/cachecrack

You can also use Cain to crack Cache dump passwords. However, I wouldnt give up on the LM hashes. Does your local admin password on the client work on the server? Do any of the user accounts give you access to the server? Try this:
http://forums.remote-exploit.org/showthread.php?t=12942

William

Quote:

---

Originally Posted by williamc

You can also use Cain to crack Cache dump passwords. However, I wouldnt give up on the LM hashes. Does your local admin password on the client work on the server? Do any of the user accounts give you access to the server? Try this:
http://forums.remote-exploit.org/showthread.php?t=12942

William

---

Thanks for the reply. Local Admin password doesn't give me access to the server, nor any users passwords give me access to the server. I am thinking of some sort of privilige escalation (if possible), also I will give a try to john the ripper to crack the m$ cache hashes.

Quote:

---

Originally Posted by l1nuxant_ee

Thanks for the reply. Local Admin password doesn't give me access to the server, nor any users passwords give me access to the server. I am thinking of some sort of privilige escalation (if possible), also I will give a try to john the ripper to crack the m$ cache hashes.

---

John works well for any password cracking. Cain, albeit slower, also has great cracking abilities for cached passwords, and a rather attractive (in comparison) GUI, if you want to go that route.

Essentially, I'm just repeating what has already been said. Let us now if you have any problems.

Your best bet is going to be token stealing. Incognitio has been built into meterpreter or you can upload the pass the hash toolkit from core.

Any domain users that have logged into the box since reboot, their tokens should be in memory. Once you are local admin or system on the box you can use one of the token passing tool to take that token and become the domain user (hopefully some sort of admin--which wouldnt be too far fetched if you are any sort of server).

I did a couple blog posts on the different tools.
http://carnal0wnage.blogspot.com/sea...en%20kidnaping
http://carnal0wnage.blogspot.com/sea...s%20the%20hash

Quote:

---

Originally Posted by __CG__

Your best bet is going to be token stealing. Incognitio has been built into meterpreter or you can upload the pass the hash toolkit from core.

Any domain users that have logged into the box since reboot, their tokens should be in memory. Once you are local admin or system on the box you can use one of the token passing tool to take that token and become the domain user (hopefully some sort of admin--which wouldnt be too far fetched if you are any sort of server).

I did a couple blog posts on the different tools.
http://carnal0wnage.blogspot.com/sea...en%20kidnaping
http://carnal0wnage.blogspot.com/sea...s%20the%20hash

---

Nioce post on incognitio. I'm assuming your one of the guys from LSO so I just wanted to welcome you to the forums if I had not done so already:)

Quote:

---

Originally Posted by __CG__

Your best bet is going to be token stealing. Incognitio has been built into meterpreter or you can upload the pass the hash toolkit from core.

Any domain users that have logged into the box since reboot, their tokens should be in memory. Once you are local admin or system on the box you can use one of the token passing tool to take that token and become the domain user (hopefully some sort of admin--which wouldnt be too far fetched if you are any sort of server).

I did a couple blog posts on the different tools.
http://carnal0wnage.blogspot.com/sea...en%20kidnaping
http://carnal0wnage.blogspot.com/sea...s%20the%20hash

---

Great topics, I will give them a try :)

Thanks alot,

thank pureh@te! been lurking here and the IRC chan.

good to be here.

I once was pentested a network where a local administrator password was the same as the domein administrator password.

If the client connects to the fully patched server you can look for share's and try to Brute force them so you could get some network accouns.

If you have the time a sniffer could do the job.