![]() ![]() ESE ensures the database complies with ACID (Atomic, Consistent, Isolated, and Durable) – all operations in a transaction complete or none do. The AD database is a Jet database engine which uses the Extensible Storage Engine (ESE) which provides data storage and indexing services ESE level indexing enables object attributes to be quickly located. The Active Directory domain database is stored in the ntds.dit file (stored in c:\Windows\NTDS by default, but often on a different logical drive). New- PSSession -Name PSCOMPUTER – ComputerName $COMPUTER Enter- PSSession -Name PSCOMPUTER Invoke-Command – computername $COMPUTER -command Invoke- WMIMethod -Class Win32_Process -Name Create – ArgumentList $COMMAND – ComputerName $COMPUTER -Credential $CRED Wmic / node:COMPUTER / user:DOMAIN \USER / password:PASSWORD process call create “COMMAND“ The most reliable remote execution methods involve either PowerShell (leverages WinRM) or WMI. There are several different ways to execute commands remotely on a Domain Controller, assuming they are executed with the appropriate rights. The last topic on this page shows how to extract credentials from a captured ntds.dit file (with regsitry export). Note that if a copy of the Active Directory database (ntds.dit) is discovered, the attacker could dump credentials from it without elevated rights. Dumping Active Directory credentials remotely using Mimikatz’s DCSync.Dumping Active Directory credentials remotely using Invoke-Mimikatz.Dumping Active Directory credentials locally using Invoke-Mimikatz (on the DC).Dumping Active Directory credentials locally using Mimikatz (on the DC).Pulling the ntds.dit remotely using PowerSploit’s Invoke-NinjaCopy (requires PowerShell remoting is enabled on target DC).Pulling the ntds.dit remotely using VSS shadow copy.Grabbing the ntds.dit file locally on the DC using NTDSUtil’s Create IFM.The methods covered here require elevated rights since they involve connecting to the Domain Controller to dump credentials. The primary techniques for dumping credentials from Active Directory involve interacting with LSASS on a live DC, grabbing a copy of the AD datafile (ntds.dit), or tricking a Domain Controller into replicating password data to the attacker (“I’m a Domain Controller!”). Some of this information I spoke about at several security conferences in 2015 (BSides, Shakacon, Black Hat, DEF CON,
0 Comments
Leave a Reply. |