domain_hashdump problems / crash DC

[BeanBagKing]

TL;DR - There seem to be issues if this is run multiple times, leading to a crash of the domain controller if you force quit (exit -y) msfconsole

I'm practicing dumping hashes from a domain controller, following the Rapid7 article on the subject.

I can reproduce the crash about 90% of the time, and the rest of the issues every time. Some of them may be closer to features, but I felt the results didn't match the expected behavior so I included them here. If you wish to move them (or me to move them) elsewhere, let me know.

Systems

Target Server 2012 R2 x64 6.3.9600 Build 9600

Host Kali 2016.1 x86 up to date as of today 3 June 2016 Metasploit v4.12.4-dev (bundled w/ kali)

Both running in VMWare Workstation 12

Crash and reproduction

The biggest issue I've found is a reproducible way to crash the DC. I'm wondering if others can reproduce it, or if I'm just doing something wrong, and it's my fault there is a crash. There is only one thread under which I see domain_hashdump crashing, and no indications that it affected the DC there.

On DC

• Make sure VSS and SWPRV are running. You could do this over meterpreter -> shell -> net start. Doesn't really matter, they just have to be started.

In Metasploit

Use exploit/windows/smb/psexec
     Valid domain admin credentials
     exploit, migrate to wininit.exe, background
Use post/windows/gather/credentials/domain_hashdump
     set your session (probably 1)
Exploit
     Success!
Exploit again! 
     This should fail, I'll get to this more in a moment.
exit -y

This should result in a crash, the entire target system goes down. Forcing an exit any time before the second attempt to exploit will be fine. Forcing an exit any time after the second attempt (third attempt, fourth, etc.) will crash the system.

I know I should kill the sessions politely, but in my own lab I was being a little sloppy and quick. That's how I found this. It doesn't seem to occur if you do sessions -K and then exit.

Expected Behavior - Metasploit exits without crashing the target system

Failure on multiple attempts

Getting back to that failed second exploit, you get the following output. http://pastebin.com/J67vzLN1 This seems fairly consistent, you get the first password (Administrator), it gets down to the hash history, and then about 25 lines of failure.

The third, and any subsequent attempts, you get the following: http://pastebin.com/wTFCwx67 - No accounts/hashes, and only about 7 lines of failure.

Expected Behavior - Subsequent attempts work the same as the first

Cleaning Up

When the exploit runs, it writes temp files to C:\Windows\Temp under a random folder. Once the exploit is completed, these files remain. They really should be removed.

Expected Behavior - domain_hashdump cleans up temporary files

Service Migration

Onto lesser issues - I find it odd that smart_hashdump will migrate services if it realizes you are on a service that won't work. For example, the process I started was 32bit, despite being system, it wouldn't work. smart_hashdump migrates you to a 64bit process. domain_hashdump makes you aware of this, but doesn't perform the process itself.

Expected Behavior - domain_hashdump attempts to migrate to an appropriate service.

Starting Services

If VSS and SWPRV aren't running, domain_hashdump will say insufficent privs, and stop...

[*] Volume Shadow Copy service not running. Starting it now...
[-] Insufficient Privs to start service!
[*] Post module execution completed

Yet it should have sufficient privileges to start those services. My uid is NT AUTHORITY\SYSTEM, and if I drop to a shell I can perform service start vss/swprv

Expected Behavior - Services are started

Edit: - I'm trying this with a larger domain (added 81k users), and seem to be getting "Post interrupted by the console user" every time now. Not sure if this is related to the larger database size, or if something else has changed.

[jamesbcook]

I have not seen the DC crash; however, I'm having the same issue as the last edit. I've tried setting the timeout to 300 seconds, but the timeout doesn't hit and get the "Post interrupted by the console" error.

[thelightcosine]

Some of these issues were addressed during the big cleanup of this module a while back. Mubix had aggregated a lot of these issues into one Mega ticket I think. @jamesbcook @BeanBagKing are you guys still seeing the module crash out on large Domains? If so where in the process is it dying? Are you getting any of the hashes back or is it hanging before the creds start to come back like in #7323 ?

[bcoles]

For what it's worth, adding to @dmaloney-r7 's comment above, I've had smart_hashdump or domain_hashdump crash a DC using Metasploit from git back in Jan 2017.

Box was Server 2008 R2, I think.

No hashes were returned. Server bluescreened. 100% crash rate --- three for three, just to be sure 🙄 Unsure of root cause.

[busterb]

Were these production servers, or lab VMs? I've got a hunch that being a real, busy server vastly changes the scenario when testing these.

[bcoles]

@busterb prod server. backup DC. There might have been a couple users logged in via RDP.

[thelightcosine]

@bcoles Do you know what the actual crash dump said? Is this an English language server? How big was the domain/NTDS.dit file? did it crash on parse or somewhere else in the process?

[bcoles]

@dmaloney-r7 English language box. 64 bit. I've long since deleted the logs. A few hundred users in the domain (less than a thousand). NTDIS was maybe a couple hundred MB.

I didn't get any hashes back. It crashed during or after copy. I can't be more specific.

I vaguely remember crashing another backup DC back in 2016. Also English language. Probably 64bit. Maybe 1,000 users in the domain.

Endpoint protection was in use in both instances.

[fsacer]

@wvu-r7 as per low reproducability not sure if it's worth keeping the issue open