Module 09

Win Attack LAB: Credential Dumping on WS1

1. Introduction

In this challenge we explore the machine WS1 and dump credentials stored on it.

2. Bloodhound Analysis

We have successfully moved to the host WS1 and we have local administrative privileges on this machine as well. Time to plan our next step.

In previous challenges, we already have collected information about this host and objects connected to it. Lets go back and have a look in Bloodhound at this host.

Especially check out the open sessions:

We can see that the user FFAST@WINATTACKLAB.LOCAL has an active session on WS1!

Let's inspect that user a bit closer. By looking at the Group Memberships, we can see that this user belongs to the Domain Admins group and has therefore full control over the domain controller and the domain itself:

Connecting the dots and find shortest path to domain admin:

3. RDP Access and Credential Dumping

As we have the password for user cclear and RDP is available on the host WS1, we can simply connect to this machine via RDP. On your Windows 10 client, start the RDP client.

Once you have established the RDP connection to WS1, you can create a dump of lsass.exe via the task manager. Start the task manager by typing task into the search bar, then right-click and run it as adminstrator:

In the Details tab, search for lsass.exe:

Right-click on lsass.exe and choose Create dump file:

Wait until the dump has been created and note down the path to the dump:

4. Retrieving the dump

Run the following command to connect to WS with smbclient.py:

smbclient.py 'winattacklab.local/cclear:Winter2019@10.0.1.103'

use c$ get Users\cclear\AppData\Local\Temp\lsass.DMP exit

5. Analyzing the dump

With the dump of lsass.exe now on our local machine, we have multiple ways to analyze it. One way would be to copy it to our Windows client and feed it to Mimikatz. However, let's use a Linux tool called pypykatz this time.

pypykatz lsa minidump lsass.DMP >> pypykatz.log

nano pypykatz.log

In the nano editor, press CTRL+W to switch to search mode, type ffast and hit RETURN to find the authentication information of this user. You might find multiple occurrences, through which you can step by repeatedly pressing ALT+W. Look for an output similar to the one shown below:

NT: e4817e3c667f5df2b2b2b0dc37ca25f9

Note down this hash and exit nano by pressing CTRL+X.

You now have successfully retrieved the NTLM hash of the domain administrator ffast, congratulations!

6. Updating Bloodhound

Finally, we can updated Bloodhound to reflect the new situation. Search for the user ffast and mark it as owned:

If you further check the Group Delegated Local Admin Rights you'll find that this account has full access on the Domain Controller (which is to be expected for a domain administrator of course):

6. Questions

  1. What other tool than Pypykatz can extract the credentials from the dumped lsass memory?

  2. Why didn’t we upload and run Mimkatz on WS1?

  3. Why is ProcDump not detected as hacking tool?

  4. Is it a good idea to name the created memory dump "lsass.dmp"?

  5. Why can user Ffast’s (A DOMAIN ADMIN’s) credentials be found in the LSASS memory of WS1?

  6. How should organizations prevent this kind of problem (domain admins logging in on “normal” servers using their domain admin accounts)?

  7. Congrats. you are domain admin! And now what? How would you now test and exploit the domain admin privileges?

7. Answers

  1. Mimikatz (most used to extract the credentials)

    There exist a list of tools used to extract the credentials on the Mitre Attack framework. Examples:

  • LaZagne

  • Impacket

  • etc.

2. The standard binary from Mimikatz is known and the Windows Defender could block the execution. Therefore we can use another tool or change/modify the binary of Mimikatz.

3. The tool ProcDump is part of the Windows Sysinternals Suite and therefore a "legitimate Microsoft tool" which is not detected by AntiVirus tools.

4. No, this naming will be detected as an IOC. Renaming the file will reduce the detection.

5. The admin FFast has an interactive session on WS1. The credentials for such sessions are stored in the LSASS memory.

6. There exist several mitigatiuon technics:

  • Tier model (three tiers)

  • Separate administrative accounts (one for each required tier)

  • Only access from dedicted management systems to the servers with admin accounts

7. Testing:

  • Authentication on another system with the admin credentials (RDP session but be aware not on the same system as FFast has an active session).

    Exploit:

  • Access to the domain controller

  • Create a dedicted user with admin priviledges

  • NTLM hash dump and use the extracted credentials to logon on other systems as legitime users

PreviousModule 08NextModule 10

Last updated