Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Local Admin --> Domain Admin ??

  1. #1
    Member
    Join Date
    Jun 2006
    Posts
    107

    Default Local Admin --> Domain Admin ??

    Hi there,

    I have been trying to expand my knowledge, so I have set a lab with the following configuration:

    Fully Patched Windows 2003 Server (Acting as a domain controller)
    Unpatched Client Machine (XP), which is joined to the above domain.

    Since I have been able to compromise the client machine, I was able to get the local hashes, and have been able to crack them using rainbow tables. My question is there any possible way to get Domain Passwords.

    I have read about "CacheDump" tool, which will get the hashes for the last 10 logged in users (something called MSCash), and have been able to get the hashes. However, seems that these hashes cannot be cracked using rainbow table, as they came in the following format:
    Code:
    username:hash(32 chacter):domain:FQDN
    So any idea on the above scenario ?

    Thanks alot in advance,

  2. #2
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    have read about "CacheDump" tool, which will get the hashes for the last 10 logged in users (something called MSCash), and have been able to get the hashes. However, seems that these hashes cannot be cracked using rainbow table, as they came in the following format:
    You do know that these passwords are much more secure than the LM hashes stored in the SAM file, for starters each of the cached hashes has its own salt added which will make them much more time consuming to crack. I do not know about rainbow tables but they can at least be cracked using John the ripper, here is a good tutorial on this from Irongeek:
    http://www.irongeek.com/i.php?page=security/cachecrack
    -Monkeys are like nature's humans.

  3. #3
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    You can also use Cain to crack Cache dump passwords. However, I wouldnt give up on the LM hashes. Does your local admin password on the client work on the server? Do any of the user accounts give you access to the server? Try this:
    http://forums.remote-exploit.org/showthread.php?t=12942

    William

  4. #4
    Member
    Join Date
    Jun 2006
    Posts
    107

    Default

    Quote Originally Posted by williamc View Post
    You can also use Cain to crack Cache dump passwords. However, I wouldnt give up on the LM hashes. Does your local admin password on the client work on the server? Do any of the user accounts give you access to the server? Try this:
    http://forums.remote-exploit.org/showthread.php?t=12942

    William
    Thanks for the reply. Local Admin password doesn't give me access to the server, nor any users passwords give me access to the server. I am thinking of some sort of privilige escalation (if possible), also I will give a try to john the ripper to crack the m$ cache hashes.

  5. #5
    Junior Member
    Join Date
    Jul 2007
    Posts
    71

    Default JTR or Cain is the way to go

    Quote Originally Posted by l1nuxant_ee View Post
    Thanks for the reply. Local Admin password doesn't give me access to the server, nor any users passwords give me access to the server. I am thinking of some sort of privilige escalation (if possible), also I will give a try to john the ripper to crack the m$ cache hashes.
    John works well for any password cracking. Cain, albeit slower, also has great cracking abilities for cached passwords, and a rather attractive (in comparison) GUI, if you want to go that route.

    Essentially, I'm just repeating what has already been said. Let us now if you have any problems.

  6. #6

    Default

    Your best bet is going to be token stealing. Incognitio has been built into meterpreter or you can upload the pass the hash toolkit from core.

    Any domain users that have logged into the box since reboot, their tokens should be in memory. Once you are local admin or system on the box you can use one of the token passing tool to take that token and become the domain user (hopefully some sort of admin--which wouldnt be too far fetched if you are any sort of server).

    I did a couple blog posts on the different tools.
    http://carnal0wnage.blogspot.com/sea...en%20kidnaping
    http://carnal0wnage.blogspot.com/sea...s%20the%20hash

  7. #7
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    Quote Originally Posted by __CG__ View Post
    Your best bet is going to be token stealing. Incognitio has been built into meterpreter or you can upload the pass the hash toolkit from core.

    Any domain users that have logged into the box since reboot, their tokens should be in memory. Once you are local admin or system on the box you can use one of the token passing tool to take that token and become the domain user (hopefully some sort of admin--which wouldnt be too far fetched if you are any sort of server).

    I did a couple blog posts on the different tools.
    http://carnal0wnage.blogspot.com/sea...en%20kidnaping
    http://carnal0wnage.blogspot.com/sea...s%20the%20hash
    Nioce post on incognitio. I'm assuming your one of the guys from LSO so I just wanted to welcome you to the forums if I had not done so already

  8. #8
    Member
    Join Date
    Jun 2006
    Posts
    107

    Default

    Quote Originally Posted by __CG__ View Post
    Your best bet is going to be token stealing. Incognitio has been built into meterpreter or you can upload the pass the hash toolkit from core.

    Any domain users that have logged into the box since reboot, their tokens should be in memory. Once you are local admin or system on the box you can use one of the token passing tool to take that token and become the domain user (hopefully some sort of admin--which wouldnt be too far fetched if you are any sort of server).

    I did a couple blog posts on the different tools.
    http://carnal0wnage.blogspot.com/sea...en%20kidnaping
    http://carnal0wnage.blogspot.com/sea...s%20the%20hash
    Great topics, I will give them a try

    Thanks alot,

  9. #9

    Default

    thank pureh@te! been lurking here and the IRC chan.

    good to be here.

  10. #10
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    15

    Default

    I once was pentested a network where a local administrator password was the same as the domein administrator password.

    If the client connects to the fully patched server you can look for share's and try to Brute force them so you could get some network accouns.

    If you have the time a sniffer could do the job.
    Two things are infinite: the universe and human stupidity;

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •