Sam Stelfox

Thoughts from a software engineer, systems hacker and Linux gubernāre.

Crawling for Domain Admin Credentials

Some folks are just doing it right. Not using their admin credentials for everyday activities. While this is a best practice, it doesn't prevent the exploitation of domain administrator privileges, it just makes it harder. At some point, the domain administrator is going to have to, well, administer to the domain. It's at that point that we want to catch the victim using their Domain Administrator credentials.

The scenario is this. You've used a tool such as NBTEnum to enumerate Domain Admin account names. You've also managed to gain Local Administrator credentials by dumping and cracking the hashes of a vulnerable system on the network. Like most of corporate America, the target organization is using a universal Local Administrator account across most of their enterprise. You are able to freely move around the network, gaining access to individual systems. While this is fairly deep penetration, you want the keys to the kingdom, or as Josh Wright would call them, the "family jewels": Domain Administrator. What the organization is doing right, is not using their Domain Admin credentials for daily activities. This makes things a little tougher. You know it's only a matter of time until you find the right system to elevate your privileges, but it's late in the pentest and time is of the essence. Enter the following command, the Domain Process Crawler:

FOR /F %i in (ips.txt) DO @echo [+] %i && @tasklist /V /S %i /U user /P password 2>NUL > output.txt
FOR /F %n in (names.txt) DO @type output.txt | findstr %n > NUL
echo [!] %n was found running a process on %i

What this command does, is take a file containing a list of ip addresses (ips.txt) and runs tasklist against each one, redirecting the output to a text file (output.txt). For each ip, the command checks the output for the existence of a string matching one of a list of usernames from another text file (names.txt). If it finds a match, it reports the match to the user and pauses, giving the user the option to continue.

With this command, you can easily crawl an entire domain for a running process executed by one of the Domain Administrator accounts you discovered via NBTEnum. When you find one, simply psexec your way to the system as Local Administrator, impersonate the Domain Administrator using the token on the box, and create your own shiny, new Domain Administrator credentials. If you have the Metasploit Framework installed on the system and want to take it a step further, you could use msfcli to automagically psexec yourself a shell when the command finds the right process, rather than pause.

Like the scenario states, there is some work to be done before this command is useful. You'll need an initial shell and a little luck.