Closed PeterGabaldon closed 1 month ago
Hello, this implementation is similar to this PR https://github.com/fortra/impacket/pull/1470, now open for more than a year. Hopefully one of these will get merged.
Hello, I know it may sound stupid from my side, but, is it possible to make it retrieve NTDS.dit file as well?
Hello, I know it may sound stupid from my side, but, is it possible to make it retrieve NTDS.dit file as well?
Hi @daviosardinha, yeah, it could be possible. But I focused on retrieve SAM because impacket already can retrieve NTDS.dit via Shadow Snapshot with the -use-vss parameter. This option (-use-vss) uses a differente aproach, executing "vssadmin create..." remotely.
As @SAERXCIT mentioned, there is a enhanced version of this in this PR https://github.com/fortra/impacket/pull/1470 using WMI for retriving NTDS.dit via Shadow Snapshot.
Maybe this two efforts should be combined in order to get all options, SAM, SYSTEM, SECURITY (this PR) and NTDS.dit (@SAERXCIT PR)
Nice one! As I remember, there were no problem obtaining SAM from snapshots at least via smbclient.py. Have you tried that?
Hi @Veids, as far as I have tested I do not think so.
It is possible to list Shadow Snapshot from Impacket's smbclient but apparently not possible to access them.
Also note that the format is incorrect (https://github.com/fortra/impacket/pull/1718)
I have also tried SAMBA smbclient with no success.
And in Windows an error is obtained like when accessing SAM/SYSTEM/SECURITY directly on disk.
Maybe I am failing at some point, it would be nice if you could give an example please. Thanks!
I think it would be possible to access the Shadow Snapshot Remotely and copy SAM/SYSTEM/SECURITY via SMB using a Junction Point, but it does not avoid executing code on the target machine as mklink is needed.
Well, somehow cd command fails, but you can still enumerate the snapshot:
And in order to download:
Nice @Veids, thanks mate.
Then I did not implemented it well (https://github.com/fortra/impacket/pull/1719/commits/19a310cb352b4b53b0d597f930bc4a732e55a1a5#diff-8a6b9e2198823742cf22bdbbe05f402809f595772c73e31cba6bf5f9aeb7855fR1068)
At my first try, I tried to download them directly through SMB. I am idiot :S. I will review it and try to avoid executing code remotely. Thank you!
The __WMIcopy
in this case is useless, I think you can clean it up. Others look good! (BTW, don't forget to test it on Windows 2003)
Thanks to @Veids and its advice, it is now working without RCE. It was my mistake that I implemented it bad, but now it is working. SAM/SYSTEM/SECURITY are downloaded via SMB from the Shadow Snapshot. I have to clear a little bit the code, but it is working fine.
reviewing this one
Excellent! One last thing I forgot to mention, is that shadow copies created duting the attack should be deleted. Do you think this could be implemented?
Ok @anadrianmanrique, I will try to implement that this weekend. Apparently the Delete method is not documented (https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394428(v=vs.85) but it is available also via WMI.
$shadowCopies = Get-WMIObject -Class Win32_ShadowCopy -Computer <TARGET SERVER NAME>
$shadowCopies | % {$_.DeviceObject}
$shadowCopies | Get-Member -View All
$shadowCopies[0].Delete()
$shadowCopies.Delete()
Hi, just to clarify one thing. I have tested it and yes, the SS can be deleted remotely via WMI. I am moving forward to implement it.
The Delete method is inherited from ManagementObject (https://learn.microsoft.com/es-es/dotnet/api/system.management.managementobject?view=dotnet-plat-ext-7.0)
PS C:\Users\Peter> $shadowCopies = Get-WMIObject -Query 'SELECT * FROM Win32_ShadowCopy WHERE ID="{569d2e9f-d38e-4b73-97b7-33b4efa60f45}"' -Credential $creds -Computer 192.168.43.131
PS C:\Users\Peter> $shadowCopies | Get-Member -View All
TypeName: System.Management.ManagementObject#root\cimv2\Win32_ShadowCopy
Name MemberType Definition
---- ---------- ----------
PSComputerName AliasProperty PSComputerName = __SERVER
Disposed Event System.EventHandler Disposed(System.Object, System.EventArgs)
Clone Method System.Object Clone(), System.Object ICloneable.Clone()
CompareTo Method bool CompareTo(System.Management.ManagementBaseObject otherObject, S...
CopyTo Method System.Management.ManagementPath CopyTo(System.Management.Management...
CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType)
Delete Method void Delete(), void Delete(System.Management.DeleteOptions options),...
Dispose Method void Dispose(), void IDisposable.Dispose()
Equals Method bool Equals(System.Object obj)
Get Method void Get(), void Get(System.Management.ManagementOperationObserver w...
GetHashCode Method int GetHashCode()
GetLifetimeService Method System.Object GetLifetimeService()
GetMethodParameters Method System.Management.ManagementBaseObject GetMethodParameters(string me...
GetObjectData Method void ISerializable.GetObjectData(System.Runtime.Serialization.Serial...
GetPropertyQualifierValue Method System.Object GetPropertyQualifierValue(string propertyName, string ...
GetPropertyValue Method System.Object GetPropertyValue(string propertyName)
GetQualifierValue Method System.Object GetQualifierValue(string qualifierName)
GetRelated Method System.Management.ManagementObjectCollection GetRelated(), System.Ma...
GetRelationships Method System.Management.ManagementObjectCollection GetRelationships(), Sys...
GetText Method string GetText(System.Management.TextFormat format)
GetType Method type GetType()
InitializeLifetimeService Method System.Object InitializeLifetimeService()
InvokeMethod Method System.Object InvokeMethod(string methodName, System.Object[] args),...
Put Method System.Management.ManagementPath Put(), System.Management.Management...
Revert Method System.Management.ManagementBaseObject Revert(System.Boolean ForceDi...
SetPropertyQualifierValue Method void SetPropertyQualifierValue(string propertyName, string qualifier...
SetPropertyValue Method void SetPropertyValue(string propertyName, System.Object propertyValue)
SetQualifierValue Method void SetQualifierValue(string qualifierName, System.Object qualifier...
ToString Method string ToString()
Item ParameterizedProperty System.Object Item(string propertyName) {get;set;}
Caption Property string Caption {get;set;}
ClassPath Property System.Management.ManagementPath ClassPath {get;}
ClientAccessible Property bool ClientAccessible {get;set;}
Container Property System.ComponentModel.IContainer Container {get;}
Count Property uint32 Count {get;set;}
Description Property string Description {get;set;}
DeviceObject Property string DeviceObject {get;set;}
Differential Property bool Differential {get;set;}
ExposedLocally Property bool ExposedLocally {get;set;}
ExposedName Property string ExposedName {get;set;}
ExposedPath Property string ExposedPath {get;set;}
ExposedRemotely Property bool ExposedRemotely {get;set;}
HardwareAssisted Property bool HardwareAssisted {get;set;}
ID Property string ID {get;set;}
Imported Property bool Imported {get;set;}
InstallDate Property string InstallDate {get;set;}
Name Property string Name {get;set;}
NoAutoRelease Property bool NoAutoRelease {get;set;}
NotSurfaced Property bool NotSurfaced {get;set;}
NoWriters Property bool NoWriters {get;set;}
Options Property System.Management.ObjectGetOptions Options {get;set;}
OriginatingMachine Property string OriginatingMachine {get;set;}
Path Property System.Management.ManagementPath Path {get;set;}
Persistent Property bool Persistent {get;set;}
Plex Property bool Plex {get;set;}
Properties Property System.Management.PropertyDataCollection Properties {get;}
ProviderID Property string ProviderID {get;set;}
Qualifiers Property System.Management.QualifierDataCollection Qualifiers {get;}
Scope Property System.Management.ManagementScope Scope {get;set;}
ServiceMachine Property string ServiceMachine {get;set;}
SetID Property string SetID {get;set;}
Site Property System.ComponentModel.ISite Site {get;set;}
State Property uint32 State {get;set;}
Status Property string Status {get;set;}
SystemProperties Property System.Management.PropertyDataCollection SystemProperties {get;}
Transportable Property bool Transportable {get;set;}
VolumeName Property string VolumeName {get;set;}
__CLASS Property string __CLASS {get;set;}
__DERIVATION Property string[] __DERIVATION {get;set;}
__DYNASTY Property string __DYNASTY {get;set;}
__GENUS Property int __GENUS {get;set;}
__NAMESPACE Property string __NAMESPACE {get;set;}
__PATH Property string __PATH {get;set;}
__PROPERTY_COUNT Property int __PROPERTY_COUNT {get;set;}
__RELPATH Property string __RELPATH {get;set;}
__SERVER Property string __SERVER {get;set;}
__SUPERCLASS Property string __SUPERCLASS {get;set;}
ConvertFromDateTime ScriptMethod System.Object ConvertFromDateTime();
ConvertToDateTime ScriptMethod System.Object ConvertToDateTime();
Shadow Snapshot is now deleted after downloading SAM/SYSTEM/SECURITY
The Delete method of ManagementObject (https://learn.microsoft.com/es-es/dotnet/api/system.management.managementobject?view=dotnet-plat-ext-7.0) actually is a call to DeleteInstance or DeleteClass.
The implementation of the .NET method can be found here: https://github.com/dotnet/runtime/blob/d099f075e45d2aa6007a22b71b45a08758559f80/src/libraries/System.Management/src/System/Management/ManagementObject.cs#L1939.
Great job! Thanks for your PR. Now merging
Hi @anadrianmanrique, a blank file called SAM' was at the root of the repo and has been pushed.
I didn´t detected that mistake, I am sorry about that.
thanks for letting me know!
[UPDATE]
Thanks to @Veids and its advice, it is now working without RCE. It was my mistake that I implemented it bad, but now it is working. SAM/SYSTEM/SECURITY are downloaded via SMB from the Shadow Snapshot. I have to clear a little bit the code, but it is working fine.
https://github.com/fortra/impacket/pull/1719#issuecomment-2068196794
A new method for dumping local credentials has been developed that does not depend on the registry. This technique involves creating a Shadow Snapshot on the remote computer through WMI and downloading the SAM, SYSTEM, and SECURITY files for local analysis. Although Impacket implements a method for utilizing Shadow Snapshot, this method is distinct. The method currently in use targets NTDS in Domain Controllers using vssadmin create. Since the create command is not available in vssadmin on client computers, it is not possible to create a Shadow Snapshot remotely with this built-in tool. However, creation is feasible using WMI.
~Regrettably, I was unable to find a method to directly access the Shadow Snapshot remotely, leading me to resort to code execution to transfer the SAM, SYSTEM, and SECURITY files to a temporary local directory, which is more intrusive.~
Attempts to copy the files via WMI's _CIMLogicalFile were unsuccessful, ~yet I opted not to remove the __WMIcopy method~.
Following the creation of the Shadow Snapshot ~and the transfer of files to a temporary directory~, the SAM, SYSTEM, and SECURITY files are downloaded through SMB and parsed locally.
This update introduces the following parameters:
Example:
The following example use this method: python3 secretsdump.py -use-remoteSSMethod -debug "./Admin:1234@192.168.1.161"
The Shadow Snapshot has been created.
And the files were downloaded remotely via SMB.