module
Windows Secrets Dump
| Disclosed | Created |
|---|---|
| N/A | 2020-09-30 |
Disclosed
N/A
Created
2020-09-30
Description
Dumps SAM hashes and LSA secrets (including cached creds) from the
remote Windows target without executing any agent locally. This is
done by remotely updating the registry key security descriptor,
taking advantage of the WriteDACL privileges held by local
administrators to set temporary read permissions.
This can be disabled by setting the `INLINE` option to false and the
module will fallback to the original implementation, which consists
in saving the registry hives locally on the target
(%SYSTEMROOT%\Temp\.tmp), downloading the temporary hive
files and reading the data from it. This temporary files are removed
when it's done.
On domain controllers, secrets from Active Directory is extracted
using [MS-DRDS] DRSGetNCChanges(), replicating the attributes we need
to get SIDs, NTLM hashes, groups, password history, Kerberos keys and
other interesting data. Note that the actual `NTDS.dit` file is not
downloaded. Instead, the Directory Replication Service directly asks
Active Directory through RPC requests.
This modules takes care of starting or enabling the Remote Registry
service if needed. It will restore the service to its original state
when it's done.
This is a port of the great Impacket `secretsdump.py` code written by
Alberto Solino.
remote Windows target without executing any agent locally. This is
done by remotely updating the registry key security descriptor,
taking advantage of the WriteDACL privileges held by local
administrators to set temporary read permissions.
This can be disabled by setting the `INLINE` option to false and the
module will fallback to the original implementation, which consists
in saving the registry hives locally on the target
(%SYSTEMROOT%\Temp\.tmp), downloading the temporary hive
files and reading the data from it. This temporary files are removed
when it's done.
On domain controllers, secrets from Active Directory is extracted
using [MS-DRDS] DRSGetNCChanges(), replicating the attributes we need
to get SIDs, NTLM hashes, groups, password history, Kerberos keys and
other interesting data. Note that the actual `NTDS.dit` file is not
downloaded. Instead, the Directory Replication Service directly asks
Active Directory through RPC requests.
This modules takes care of starting or enabling the Remote Registry
service if needed. It will restore the service to its original state
when it's done.
This is a port of the great Impacket `secretsdump.py` code written by
Alberto Solino.
Authors
Alberto Solino
Christophe De La Fuente
antuache
smashery
Christophe De La Fuente
antuache
smashery
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.