Cracking AD

From RHS Wiki
Jump to navigation Jump to search

Cracking01 (Alias: Goku01)[edit]

Resources
Type Description
OS Kali GNU/Linux Rolling
CPU(s) 20
Mem 62G

Instalación:[edit]

  • Instalar esedbexport: Active directory database tables extractor for Extensible Storage Engine (ESE) Database file
  • Releases
    wget https://github.com/libyal/libesedb/releases/download/20181229/libesedb-experimental-20181229.tar.gz
tar xf libesedb-experimental-20181229.tar.gz
cd libesedb-20181229/
sudo apt-get install autoconf automake autopoint libtool pkg-config
./configure
make
sudo make install
sudo ldconfig
  • Install NTDSXtract: Active Directory forensic framework
    git clone https://github.com/csababarta/ntdsxtract.git
cd ntdsxtract/
python setup.py build && python setup.py install

Procesado Naboo[edit]

  • Crear la carpeta que contendrá la información
    su -l cracking
tmux
cd AD/instantaneas/ADBBVA
mkdir yyyy-mm-dd && cd yyyy-mm-dd  # Fecha de la obtención del AD
# Mover los archivos ntds.dit, SYSTEM y SAM a la carpeta creada
  • Preparar los archivos para el tratamiento
    esedbexport ntds.dit
# salirse de tmux con ctrl+b +d
mv SAM SAM_old
mkdir -p esentul_output  ImpDump_output  NTDS  NTDSXtract_output  SAM
mv SAM_old SAM/SAM
# El viejo tiene system en vez de SYSTEM
mv SYSTEM NTDS
cd ntds.dit.export/
ls		#buscar cuales son las tablas datatable y links y cambiarlo en el comando siguiente, modificar tambien el yyyy-mm-dd por el correspondiente
cd ..
    Generar el archivo de usuarios:
    dsusers.py /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/datatable.4 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/link_table.7 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDSXtract_output/ --passwordhashes --passwordhistory --certificates --membership --pwdformat john --syshive /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDS/SYSTEM --csvoutfile dsusers-`date +%d-%m-%y-%T` --lmoutfile hashes_LM-`date +%d-%m-%y-%T` --ntoutfile hashes_NT-`date +%d-%m-%y-%T`
    Generar el archivo de grupos:
    dsgroups.py /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/datatable.4 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/link_table.7 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDSXtract_output/  --members --csvoutfile dsgroups-`date +%d-%m-%y-%T`
    Generar el archivo de equipos
    dscomputers.py /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/datatable.4 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDSXtract_output/ --passwordhashes --passwordhistory --certificates --membership --pwdformat john --syshive /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDS/SYSTEM --csvoutfile dscomputers-`date +%d-%m-%y-%T` --lmoutfile hashes_LM_dscomputers-`date +%d-%m-%y-%T` --ntoutfile hashes_NT_dscomputers-`date +%d-%m-%y-%T`
    Generar el historico
    dstimeline.py /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/datatable.4 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDSXtract_output/ --csv --outfile dstimeline-`date +%d-%m-%y-%T`
    Eliminar los objetos eliminados
    dsdeletedobjects.py /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/datatable.4 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDSXtract_output/ --useIsDeleted --output dsdeletedobjects-`date +%d-%m-%y-%T`
  • Crackeado con John The Ripper
    john --fork=10 --session=06F --format=NT hashes_NT-08-03-18-16\:29\:02
  • Consulta de una contraseña
    # checkear un valor concreto
cd NTDSXtract_output/
ls
john --show --format=NT hashes_NT-08-03-18-15\:53\:14 > salida
grep -i xe69906 salida

Tarjeto[edit]

Resources
Type Description
OS Ubuntu 16.04.6 LTS
CPU(s) 8
Mem 31G
GPU Tesla K40c (Nvidia)
  • Crackeado de hashes Kerberos 5 TGS-rep con diccionario y reglas en hashcat
    hashcat -m 13100 -a 0 ficherohashes diccionario -r ficheroreglas -o salida --session=nombresesion -w 4 -D 1,2 -O

Script extacción AD cracking01.rra.lan:/home/cracking/bin/adextract: symbolic link to /home/cracking/ntds_extract/adextract.sh[edit]

#!/bin/bash
WORKING_DIR="/home/cracking/AD/instantaneas/ADBBVA"

function usage() {
    cat << EndOfMessage

Usage: adextract.sh -d yyyy-mm-dd -f /path/to/downloaded/files/

    -d    date of ntds.dit download
    -p    full path to the folder containing ntds.dit, SYSTEM and SAM files
EndOfMessage
}


while getopts ":h:d:p:" opt; do
  case ${opt} in
    h ) usage ;;
    d ) date=${OPTARG} ;;
    p ) path=${OPTARG} ;;
    \? ) echo "Invalid option: $OPTARG" 1>&2 ;;
    : ) echo "Invalid option: $OPTARG requires an argument" 1>&2 ;;
  esac
done
shift $((OPTIND -1))  # Inside loop?


function check_arguments() {
    # Check if date parameter is not empty
    if [[ -z "${date}" ]]; then
        usage
        exit
    fi

    # Check if date was supplied
    if [[ -z "${date}" ]]; then
        usage
        exit
    elif [[ ! ${date} =~ ^[0-9]{4}-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1])$ ]]; then
        echo "Wrong date format, use: YYYY-MM-DD" 1>&2
    fi

    # Check if supplied directory exists  # TODO: Check it contains ntds.dit, SYSTEM or system and SAM are inside the directory
    if [[ ! -d "${path}" ]]; then
        echo "Path not found: ${path}" 1>&2
        exit
        if [[ ! -f "${path}/ntds.dit" ]]; then
            echo "File not found ${path/ntds.dit}"
            exit
        fi
        if [[ ! -f "${path}/SAM" ]]; then
            echo "File not found ${path}/SAM"
            exit
        fi

        if [[ ! -f "${path}/SYSTEM" ]] ||  [[ ! -f "${path}/system" ]]; then
            echo "File not found ${path/SYSTEM} or ${path/system}"
            exit
        fi

    fi
}

function get_tables() {
    DATATABLE_PATH=$( find ${ESEDBEXPORT_OUTPUT_DIR} -name datatable* )
    LINKTABLE_PATH=$( find ${ESEDBEXPORT_OUTPUT_DIR} -name link_table* )

}

DATE_DIR="${WORKING_DIR}/${date}"
ESEDBEXPORT_OUTPUT_DIR="${WORKING_DIR}/${date}/ntds.dit.export"
NTDSXTRACT_OUTPUT_DIR="${WORKING_DIR}/${date}/NTDSXtract_output/"
SYSTEM_PATH="${WORKING_DIR}/${date}/NTDS/SYSTEM"
# SAM_PATH="${WORKING_DIR}/${date}/SAM/SAM"

# NTDSXtract Output Filenames
DSUSERS_FILENAME="dsusers"
DSGROUPS_FILENAME="dsgroups"
HASHES_LM_FILENAME="hashes_LM"
HASHES_NT_FILENAME="hashes_NT"
DSTIMELINE_FILENAME="dstimeline"
DSCOMPUTERS_FILENAME="dscomputers"
HASHES_LM_DSCOMPUTERS_FILENAME="hashes_LM_dscomputers"
HASHES_NT_DSCOMPUTERS_FILENAME="hashes_NT_dscomputers"
DSDELETEDOBJECTS_FILENAME="dsdeletedobjects"

function dsusers() {
    # pwdformat options: ophc, john, ocl
    dsusers.py "${DATATABLE_PATH}" "${LINKTABLE_PATH}" "${NTDSXTRACT_OUTPUT_DIR}" \
    --certificates --membership --pwdformat john --syshive ${SYSTEM_PATH} --passwordhashes --passwordhistory \
    --csvoutfile ${DSUSERS_FILENAME} --lmoutfile ${HASHES_LM_FILENAME} \
    --ntoutfile ${HASHES_NT_FILENAME}
}

function dsgroups() {
    dsgroups.py "${DATATABLE_PATH}" "${LINKTABLE_PATH}" "${NTDSXTRACT_OUTPUT_DIR}"  --members --csvoutfile ${DSGROUPS_FILENAME}
}

function dscomputers() {
    dscomputers.py "${DATATABLE_PATH}" "${NTDSXTRACT_OUTPUT_DIR}" --passwordhashes --passwordhistory --certificates \
    --membership --pwdformat john --syshive ${SYSTEM_PATH} \ --csvoutfile ${DSCOMPUTERS_FILENAME} \
    --lmoutfile ${HASHES_LM_DSCOMPUTERS_FILENAME} --ntoutfile ${HASHES_NT_DSCOMPUTERS_FILENAME}
}

function dstimeline() {
    dstimeline.py "${DATATABLE_PATH}" "${NTDSXTRACT_OUTPUT_DIR}"--csv --outfile ${DSTIMELINE_FILENAME}
}

function dsdeletedobjects() {
    dsdeletedobjects.py "${DATATABLE_PATH}" "${NTDSXTRACT_OUTPUT_DIR}"--useIsDeleted --output ${DSDELETEDOBJECTS_FILENAME}
}

function generate_john_input_path() {
    if [[ ! -f "${WORKING_DIR}/.john_input_path" ]]; then
        mv "${WORKING_DIR}/.john_input_path" "${WORKING_DIR}/.john_input_path.old"
    fi

    echo "${NTDSXTRACT_OUTPUT_DIR}${HASHES_NT_FILENAME}" > "${WORKING_DIR}/.john_input_path"
}

function get_john_input_path() {
    READ=$( cat "${NTDSXTRACT_OUTPUT_DIR}/.john_input_path" )
    # Check if supplied file exists
    if [[ ! -f "${READ}" ]]; then
        echo "File not found: ${path}" 1>&2
        exit
    fi
    JOHN_INPUT_PATH=$(READ)

}

function create_directories() {
    mkdir -p ${DATE_DIR}
    mkdir -p "${DATE_DIR}/esentul_output"  "${DATE_DIR}/ImpDump_output"  "${DATE_DIR}/NTDS"  "${DATE_DIR}/NTDSXtract_output"  "${DATE_DIR}/SAM"
}

function copy_files() {
    cp "${path}/ntds.dit" "${DATE_DIR}"
    cp "${path}/SAM" "${DATE_DIR}/SAM/"
    cp "${path}/SYSTEM" "${DATE_DIR}/NTDS/" || cp "${path}/system" "${DATE_DIR}/NTDS/"
}

function export_tables() {
    cd ${DATE_DIR}
    esedbexport ntds.dit
}

check_arguments
create_directories
copy_files
export_tables
get_tables
dsusers &
dsgroups &
dscomputers &
dsdeletedobjects &
wait
generate_john_input_path
sudo /usr/sbin/runjohn.sh

Script runjohn.sh cracking01.rra.lan:/usr/sbin/runjohn.sh[edit]

#!/bin/bash

THREADS=20
WORKING_DIR="/home/cracking/AD/instantaneas/ADBBVA"
READ_FILE="${WORKING_DIR}/.john_input_path"
READ_CURRENT_FILE="${WORKING_DIR}/.john_input_path.old"
FILE=$( cat ${READ_FILE} )
DATE=$( echo ${FILE} | grep -Eo '[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}' )

function is_running_as_root() {
    if [[ "$EUID" -ne 0 ]]
        then echo "Please run with sudo"
        exit
    fi
}

function check_input() {
    if [[ ! -f "${FILE}" ]]; then
        echo "File not found: ${FILE}"
        exit
    fi
}

function kill_old() {
    if [[ -f ${READ_CURRENT_FILE} ]]; then
        CURRENT_PROCESSES_PIDS=$(ps aux | grep "john --fork=10 --session="| grep -v grep | awk '{ print $2 }')
        echo ${CURRENT_PROCESSES_PIDS} | xargs -n 1 "echo sudo kill -9"
        echo ${CURRENT_PROCESSES_PIDS} | xargs -n 1 sudo kill -9
        # rm READ_CURRENT_FILE
    fi
}

function run_john() {
    cd "$WORKING_DIR/john/sessions/"
    john --fork=${THREADS} --session=${DATE} --format=NT ${FILE}
}


is_running_as_root
kill_old
run_john

<comments />

Retrieved from "https://wiki.herrerosolis.com/index.php?title=Cracking_AD&oldid=2172"