Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secretsdump not dumping hashes with recent W10 #326

Closed
dirkjanm opened this issue Sep 21, 2017 · 3 comments
Closed

Secretsdump not dumping hashes with recent W10 #326

dirkjanm opened this issue Sep 21, 2017 · 3 comments

Comments

@dirkjanm
Copy link
Contributor

I've had this pop up a few times recently with newer setups:

Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies

[*] Running in relay mode to single host
[*] Config file parsed
[*] Setting up SMB Server
[*] Setting up HTTP Server

[*] Servers started, waiting for connections
[*] HTTPD: Received connection from 192.168.1.11, attacking target 192.168.1.10
[*] Authenticating against 192.168.1.10 as TEST\testuser SUCCEED
<snip>
[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x6ae85705a04b605873a6145092681ac0
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[-] hashedBootKey CheckSum failed, Syskey startup password probably in use! :(
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry

This is on a new domain against a new Windows 10 VM. I've also seen this on recent 2012R2 and 2016 servers. The issue also occurs when running secretsdump standalone.

This is probably related to this:
rapid7/metasploit-framework#8582
gentilkiwi/mimikatz@823d376

Any chance we can get this in secretsdump as well? Should be a relatively simple change if I look at the msf code.
@asolino
Copy link
Collaborator

asolino commented Sep 21, 2017

Hey @dirkjanm, thanks for the report.

Yes.. I've been aware of it for quite a long time already. But it only happened to me against 2016 Servers.. Never W10/2012R2 (That's why it had low priority for now). I know what needs to be changed so it shouldn't be that hard (thanks to @gentilkiwi actually :)). It's all AES instead of RC4 and a few structure changes. Stay tuned.

asolino added a commit that referenced this issue Sep 22, 2017
@asolino
Adding AES(128) support for SAM hashes decryption
4b7453f 
- Similar to what was done in the past for the encryptedPekList in the offline NTDS.
- Thanks @gentilkiwi for documenting the structures, way easier and elegant approach.
- Testing needed in all platforms, just to be sure backward compatibility works.
- Addresses #326
@asolino
Copy link
Collaborator

asolino commented Sep 22, 2017
edited
Loading

Hey @dirkjanm, please git pull and give it a try. Testing is needed to be sure both approaches work. Thanks!

Close this issue if working on your side.

@dirkjanm
Copy link
Contributor Author

Thanks @asolino, works like a charm! My 2012R2 is actually using the old format, so maybe I was mistaken on that part, but dumping hashes from W10 is working perfectly again. Thanks for the quick reply and fix, much appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dirkjanm @asolino