-
Notifications
You must be signed in to change notification settings - Fork 85
/
digvip
107 lines (90 loc) · 3.55 KB
/
digvip
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# digvip
How to hunt a domain account
# Overview
So you are domain admin on the corporate domain and you have dumped the
password hashes of everyone, BUT your password cracking skills are not strong
enough to recover the password of your point of contact.
Your best bet is probably to track down the IP address of the workstation(s)
where your VIP is currently logged-on, remotely connect to these machines with
domain admin privileges and dump his password in clear-text from the Windows
system's memory.
As every logon events on the domain is recorded in the domain controller's
event logs, the best way to identify this list of IPs is to directly ask the
domain controller for it.
## Event Logs
```
Version | Log Format | Default location
---------------------------------------------------------------------------------
Windows 2003 and earlier | EVT | %windir%\system32\config\*.evt
Windows Vista/2008 and later | EVTX | %windir%\system32\winevt\logs\*.evtx
```
Double check the actual settings though (location, max size ...), read HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security.
## Tools
Non-exhaustive list of tools to query Windows event logs:
```
* PsLogList
CLI
By Sysinternals
Can read EVT or EVTX event logs
Can read remote computers
* wevtutil
CLI
Shipped by default with Windows Visa/2008/7
Can only read EVTX event logs
Can read remote computers
* EventQuery.VBS
CLI
Shipped by default with Windows 2003 and earlier
Can read remote computers
http://technet.microsoft.com/en-us/library/bb490900.aspx
* Eventvwr.msc snap-in
GUI
Could not make the "save all events" feature work
* samba
CLI
Could not make rpcclient(1) or net(1) work
* samba-tng
CLI
To try
* Write your own vbscript to speak to WMI
CLI
Can read remote computers
http://msdn.microsoft.com/en-us/library/aa394593%28v=vs.85%29.aspx
To try
* Write your own Powershell script to speak to WinRM
CLI
Write a powershell script that will remotely query event logs via the Windows Remote Management service
Can read EVT or EVTX event logs
Can read remote computers
The WinRM service must be running to use remote powershell commands (it is by default)
https://github.com/obscuresec/PowerShell/blob/master/Find-NTLMNetworkLogon works but firewall must allow access to the event log service (port 49153 ?) which does not seem to be the case after my default install of a w2k8 domain controller.
To try
```
Non-exhaustive list of tools to parse Windows event logs:
```
* python-evtx
http://www.williballenthin.com/evtx/
Only supports the EVTX format
* evtexport
http://code.google.com/p/libevt
Only supports the EVT format
* evtxexport
http://code.google.com/p/libevtx/
Only supports the EVTX format
```
## Demo
Logon events are recorded in the <em>Security</em> event log.
Use PsLogList to remotely extract logon-related events from the domain controller's <em>Security</em> event log:
```
c:\> psloglist.exe \\dc1.corp.com -accepteula -u aaxadm -p Password123 -s -i 4624,4768,4769 security > %TEMP%\extract.csv
```
The event IDs 4624, 4768 and 4769 are relevent to logons, but maybe more IDs could be added to the list.
Use the [digvip.py](https://github.com/lanjelot/pentest-tricks/digvip.py) script to then parse the extract and dig up the "John Cissp" account:
```
$ digvip.py /tmp/extract.csv jcissp
[+] Parsing /tmp/extract.csv, looking for jcissp
Logon time Client IP Domain\account
9/13/2013 6:39:07 AM 192.168.100.66 FRD\jcissp
9/13/2013 6:36:53 AM 192.168.100.66 FRD.CORP.COM\[email protected]
9/13/2013 6:16:46 AM 192.168.100.66 FRD.CORP.COM\jcissp
```