windowsacikmetin 1

Unlocking Windows Secrets: Extracting Plain Text Passwords Like a Pro

In the realm of Windows penetration testing, the ultimate aim after breaching a system is to seize control of the entire network. The final phase of these tests typically involves taking over the Domain Controller (DC) server, the central hub managing the entire system in an Active Directory Domain environment. To accomplish this, penetration testers usually conduct a test on a machine connected to the Active Directory Domain and employ specific methods to access the Domain Controller.

Post Exploitation Stages

The typical post-exploitation stages are as follows:

Privilege Escalation

If the initially compromised machine has limited access privileges, any vulnerabilities within the machine are exploited to escalate these privileges.

Credential Dump

Useful credentials from various domains are acquired from the machine with elevated privileges.

Lateral Movement/Pivoting

Using the acquired credentials, access to the Domain Controller is achieved by pivoting through the network.

Persistence

Persistence is established on the Domain Controller.

This article delves into the process of obtaining plain text credentials from different domains on a machine compromised with high privileges, a crucial step for the pivoting process. The implementation involves a DC server running Windows Server 2012 R2 and a file server running Windows Server 2008 R2, both integrated into the Domain environment. According to the scenario, the file server is compromised with SYSTEM rights, and credentials of a user who can log into the Domain Controller are obtained in plain text from this server.

Obtaining Plain Text Credentials

As previously mentioned, during post-exploitation processes on Windows systems, after obtaining the highest privileges on a machine, attempts are made to acquire useful credentials from that machine. Obtaining the password of an account with Domain Admin privileges from a machine connected to the Domain environment significantly simplifies the process, as this password can be used to log into the DC machine. This section explains how to obtain plain text credentials from different domains on a machine running Windows Server 2008 R2 with SYSTEM privileges.

LSA Secrets

In Windows systems, the Local Security Authority (LSA) manages local security policies, monitoring, system logins, and authentication processes. LSA Secrets is a key that stores critical data related to the LSA system in an encrypted form under subkeys. This information is stored under the key defined by the path “HKEY_LOCAL_MACHINESecurityPolicySecrets”. The “HKEY_LOCAL_MACHINESecurityPolicy” key stores the data needed to access LSA secret information. Due to the sensitivity of the information stored in this key, Windows, by default, allows access only to the SYSTEM account. Critical data related to the LSA service can be obtained in plain text from a session with SYSTEM account access.

The subkeys under the LSA Secrets key are explained below:

  • $MACHINE.ACC: Stores the security channel password along with an account for the primary Domain Controller computer and is replicated to all backup Domain Controller machines.
  • DefaultPassword: If automatic login is enabled, the specified password is stored here.
  • NL$KM: Stores the secret key used to encrypt cached Domain passwords.
  • DPAPI_SYSTEM: In the process of restoring the user’s Master Key from the backup area, the encryption key is first decoded. Then, the password of the local administrator account stored in this key is used to perform the decryption process.

Details of the information stored under “Secrets” are kept under different keys created under each key. These keys are explained below:

  • CurrVal: Holds the encrypted form of the secret data.
  • CupdTime: Holds the last update time.
  • OldVal: Holds the previous value of the secret data.
  • OupdTime: Holds the previous update time.
  • SecDesc: A security descriptor that specifies which users can and cannot access the secret data.

We have a meterpreter session obtained from the file server with “NT AUTHORITYSYSTEM” privileges. To extract data from the LSA Secrets key, we will first use the “Mimikatz” tool. The Mimikatz tool (mimikatz.exe) and its components (mimilib.dll, mimidrv.sys) have been uploaded to the file server via meterpreter.

After granting debug privileges to Mimikatz with the “privilege::debug” command, the “lsadump::secrets” command is used to extract LSA data from the registry. This command retrieves the records stored in the LSA Secrets key.

The “kiwi” module of meterpreter can also be used to perform operations with the Mimikatz tool on a machine where a meterpreter session has been obtained. After loading this module with the “load kiwi” command, the LSA secret data can be retrieved again with the “lsa_dump_secrets” command.

Additionally, the Metasploit Framework provides a module called “lsa_secrets”. This module can be run on meterpreter to retrieve decrypted data stored in an encrypted form.

In cases where a meterpreter session is not obtained from the machine or the Mimikatz tool is not uploaded, registry keys can be saved to a file and examined on the local machine. For this, the “reg save <<Registry-Path>> <<File-Path>>” command can be used to save the keys in the registry to the specified files. The SECURITY key can be extracted to examine the LSA secret data. Additionally, the SYSTEM and SAM keys, where the data is stored in a hashed form, can be extracted and these three files can be examined together.

The Mimikatz tool, when run on the target machine, can extract the desired data from specific areas and can also be used on the local machine to examine the specified files. The files created on the file server have been downloaded to the local machine. The following command can be used to examine the LSA secret data:

lsadump::secrets /system:<<SYSTEM_file_path>> /security:<<SECURITY_file_path>> /sam:<<SAM_file_path>>

Running this command will display the LSA secret data on the screen.

Similar Posts