Post Exploitation - Pulling NTDS and extracting with SecretsDump

To continue our example of targeting Active Directory, below is an example of how an attacker can pillage the NTDS file after obtaining a Domain Admin account that has access to a Domain Controller.

Gaining a foodhold: The Rubber Ducky and Powershell Empire

So, I recently acquired my first rubber ducky and I've been messing around with it quite a bit. I wanted to document the basic setup and provide some links for further reading.

All of my write-ups are conducted in a lab, but I try to emulate what can happen in real life. In our example below, I want to emulate a rubber ducky being plugged into a corporate managed windows device. This could have been done by either an attacker gaining physical access and plugging the rubber ducky in directly, or as done in past years, dropping them in parking lots and having employees pick them up and plugging them into their workstation. Either way, let's demonstrate what can happen.

We will be utilizing Kali as our payload generating machine and PowerShell Empire Server; and we will be attacking a Windows 7 host.

To start, we need to make sure we know which pieces of the rubber ducky do what. In it's simplest form, we will be utilizing 3 pieces. The micro SD card that carry our payload, the USB that allows us to write to it, the USB that will be delivering our payload.

USB used to write payload

Post Exploitation - DCSync

Now that we have a Domain Admin account, another step that can be taken is to run "DCSync". DCSync effectively impersonates a Domain Controller and requests account password data from the targeted Domain Controller. This will allow an attacker to potentially maintain persistence by acquiring more credentials across the domain.

As always, this is more of a step-by-step walkthrough on how the actions are performed. There are many other blogs that go into further detail on the attack and how to mitigate. I will not be doing that here.

To continue about our example, we will assume the following:

Gaining a foothold: Using Responder and NTLM Relay attack

A previous post showed how to capture hashes and cracking them. But what if you can't crack the passwords? Is there anyway to pass this captured hash instead? Lucky for us, there is! A great post written by byt3bl33d3r back in 2017 that covers exactly what I'm about to briefly show, I suggest you check out his post for more information.

Like most my posts, I only scratch the surface and emulate a real attack. I don't go in depth since there are tons of other write-ups out there that do. Instead, I make more of a step-by-step illustration of how the attack was conducted.

To get started, it is important to know the difference between some of the technology: