search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13.46k stars 3.57k forks source link

secretsdump - plain text secrets #316

Open Meatballs1 opened 7 years ago

Meatballs1 commented 7 years ago

So used secretsdump.py and the .ntds.cleartext file was empty.

However a colleague used dsinternalsl and most users had clear text creds in the file...

asolino commented 7 years ago

Hey @Meatballs1

Do you know the target OS for the DC? (So I can test it). How did you run secretsdump.py? DRSUAPI or VSS method?

Are you sure what DSInternals is showing are the supplementalCredentials CLEARTEXT property or maybe it is pulling stuff from somewhere else (that secretsdump doesn't). Bottom line, I'm trying to understand whether this is a bug, or a new feature that needs to be implemented.

Any chance to share the DIT/hives?

Meatballs1 commented 7 years ago

No chance to share the dit unfortunately :)

It wasn't via VSS - files were created via NTBackup on a 2003SP2 DC.

asolino commented 7 years ago

Ok.. no problem. So you specified the files to secretdump.py correct? (No DRSUAPI method). I'll try to replicate it down here.

Btw.. did you check if dsinternal's cleartext are coming from supplementalCredentials? (maybe it does mention it in the output)

christopher-panayi commented 7 years ago

Yes, the cleartext output from DSInternals is definitely being listed under SupplementalCredentials, along with the Kerberos credentials.

asolino commented 7 years ago

Thanks @christopher-panayi for the feedback.

Just tested this functionality and couldn't reproduce this issue. Will try to get a 2003SP2 DC to verify whether there's a different behavior there.