Closed CravateRouge closed 1 year ago
They're not in the DC's memory but in its database. You can see them if you look into the DB eg. using lsadump::dcsync
.
Thank you, so it means it is also stored on the hard drive of the DC but mimikatz can only retrieve it calling the replication protocol and not by parsing the file/files where it is stored?
It's in the NTDS.dit of the domain controller (so yes, in the disk).
RPC DRS is the only API "allowing" you to retrieve the information live (it is not meant to be read by anyone but just replicated amongst domain controllers). If you have a backup of domain controllers, tools such as DSInternals allow you to extract it from the file itself.
I don't think it is stored anywhere in the SSP memory, as it doesn't not need to be. Those hashes are only useful for the DC side. The client part just generates the hash and the server will check it (oversimplified flow here... the hash isn't sent by used to encrypt messages etc... see MS-APDS). I am not sure why (maybe to make the process faster?) but the DC is accepting multiple valid hashes for a user. Let's take the user CONTOSO\test
with the password Passw0rd!
. The DC will pre-calculate and store all that:
md5("test:CONTOSO:Passw0rd!")
md5("TEST:contoso:Passw0rd!")
md5("TEST:CONTOSO:Passw0rd!")
md5("test:CONTOSO.COM:Passw0rd!")
md5("TEST:CONTOSO.COM:Passw0rd!")
md5("TEST:contoso.com:Passw0rd!")
md5("TEST@CONTOSO.COM::Passw0rd!")
md5("test@contoso.com::Passw0rd!")
md5("CONTOSO\test::Passw0rd!")
...
The client needs the clear-text, the server (here the DC) needs the possible derived hashes from it.
Thank you very much for this detailed explanation!
AD supports SASL Digest-MD5 for authentication on LDAP for example. But as stated in RFC2831 the response-value sent by the client contains
md5(user:realm:password)
. A blog post says the following: "_so for DIGEST compatibility AD pre-calculates 29 MD5 hashes for all kinds of scenarios and stores them in WDIGEST_CREDENTIALS_ attribute"It means it is stored somewhere on the DC but I can't find it even using mimikatz. For now I tried without much success:
Is mimikatz able to retrieve them?