So there was this blog post that talking about a number of ways to dump windows credentials by @lanjelot [definitly someone to follow] – here: https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/ and at the very bottom of this post it says “AD Replication (EXPERIMENTAL)”
What it boils down to is if you can position a system that can do DNS resolution to the target domain, and perform some other UDP traffic, you can fake join a samba server you control to a domain and it doesn’t require code execution in any way on the domain controller.
Notice: I am not doing this on a Kali Linux box, there is already an install of Samba there and I didn’t want to try uninstalling or modifying the one installed.
First, you need this patch:
wget http://files.securusglobal.com/samba-4.1.0_replication-only-patch.txt
and Samba 4.1.0
wget http://ftp.samba.org/pub/samba/stable/samba-4.1.0.tar.gz
You will probably also require some dependencies to be installed:
apt-get install python2.7-dev python-samba libacl1-dev build-essential libldap2-dev libkrb5-dev attr
Since the patch is kinda wonky, you need to make a src directory and extract samba into there first. Then apply the patch in whatever directory is above src
12345 | |
So it would look like this:
123 | |
then run patch -p0 < samba-4.1.0_replication-only-patch.txt
1234 | |
Prepare the box:
1 | |
Next you need to make sure you are resolving correctly (if you can’t resolve the SRV record _ldap._tcp.sittingduck.info (sittingduck.info being the domain) then this isn’t going to work.
1 | |
Then start the clone:
1 | |
Looks like this:
1234567891011121314151617181920212223242526272829 | |
Then to get the hashes:
12345678 | |
Or you can do it with history:
123456789 | |
Game over. The great thing is that it never actually shows up as a joined box in the domain, and as far as I can tell the only log on the real DC is the login success of a domain admin. Plus one of the huge benefits to this method is that once you have the database Samba makes it really easy to query information like group membership or users info after the fact, not just hashes.