Domain Administrator in 17 seconds

Tuesday, August 11, 2015

Obtaining domain administrative privileges on a security assessment is a goal that many assessors seek. It is what fills us with excitement, as we know that the real fun is about to begin. After several assessments of crunching and spending time obtaining domain administrator privileges I decided that I wanted to expedite this process.

CredCrack was born.

CredCrack was developed in python and made to be quick and quiet. It exfiltrates credentials in memory and in the clear while highlighting domain administrator accounts for you!

How it works


CredCrack begins by setting up the stage. It will automatically start the apache service and deploy two files to your /var/www directory. One is named fun.ps1 and another named creds.php. Additionally, the assessor running the script is responsible for downloading Invoke-Mimikatz.ps1 and storing it in the same directory (/var/www).

After it is done setting up, CredCrack will validate the list of systems provided to ensure it can reach them and that they have port 445 open. It will remove systems that can't be reached and proceed to query systems for the list of domain administrators.

Once the list of domain administrators have been obtained, CredCrack will begin harvesting all systems for credentials. It will send an initial powershell command asking the remote system to connect back to the assessor's system, download and execute the contents of fun.ps1 in memory.


The fun.ps1 powershell script will execute mimikatz in memory and send back the credentials to the assessor's system in a POST request (which creds.php intercepts).

CredCrack will continue harvesting credentials for all systems provided then determine if any domain administrator credentials were obtained by matching each username with the list of domain administrators previously obtained. After that, CredCrack will output the results, gracefully clean up and quit.

Domain Administrator Credentials in 17 seconds


CredCrack has two main functionalities. CredCrack uses the provided local administrative user credentials to enumerate share privileges or harvest credentials across a network. to run. One reason to use the enumerate share functionality is to determine if the provided user has write or administrative access on a system. Refer to the syntax and example screenshot below for sample usage.

CredCrack's most valuable functionality is its ability to harvest credentials. Refer to the syntax and example screenshot below for sample usage.

Awesome! It's time to see CredCrack in action! The video below shows the fastest typer I know, Alton as he uses CredCrack and obtains domain administrator credentials in 17 seconds.


Conclusion


CredCrack was made to faciliate obtaining domain administrator credentials on an assessment. It has already helped me significantly on assessments and I hope it can help others as well. CredCrack does not have any dependencies other than Invoke-Mimikatz.ps1 if run on Kali Linux. For more information on CredCrack visit my Github page. For information on defending against CredCrack and similar attacks check out my other post.

Happy harvesting!

12 comments :

  1. are the .ps1 files signed with a code signing cert?

    ReplyDelete
  2. Nope, they're not. If you were thinking about security through the PowerShell Set-Execution Policy it wouldn't work here. This is due to PowerShell executing and invoking the scripts in memory.

    ReplyDelete
  3. Hello, i have an error when i execute the script:

    ValueError: zero length field name in format

    ???

    thanks

    My python version is 2.6.6. I execute this line command:

    ./credcrack.py -d XXX -u XXX -f hosts -es

    ReplyDelete
  4. Hey Alexandre, thanks for identifying a problem. Can you please open up an issue on github https://github.com/gojhonny/CredCrack/issue so we can work on fixing it together? Thank you!

    ReplyDelete
  5. My exactly Error:

    Traceback (most recent call last)
    File "./credcrack.py", line415,
    main()
    File "./credcrack.py", line411, in main
    print "{}[!]{} File: {} does not exist.".format'colors.red, colors.normal, args.file)
    ValueError: zero length field name in format


    Sorry for my bad english and thank you verymutch

    ReplyDelete
  6. Cool technique and write-up. Now for the important part, how does an admin prevent this type of attack?

    ReplyDelete
  7. Hey g3m1n1wp, look for an updated version of the post coming soon. It'll include ways to prevent this attack vector.

    ReplyDelete
  8. Hi, I have this result on harvesting: User is not an admin on {} or the system is not joined to a domain

    ReplyDelete
  9. Thank you for sharing this tool. I tried it and is really cool! :) Is it possible to use a password hash rather than the cleartext password?

    ReplyDelete