Observations, errors and suggestions #2
Description
Hi. Thank you for this tool! I have successfully used it several times. I do however have a few observations and a suggestion.
- I think I have seen a tweet in which you claim this tool should work regardless of which computer is targeted. In my experience I can "only" get this to work against DCs when it comes to non-ADCS attacks. While this is typically not a problem for obvious reasons, I have encountered a situation where Service Control Manager and RemoteRegistry were disabled/hardened on the client's DCs (only them) causing this tool to fail in it's last stage when attempting to dump SAM and LSA. In this case relaying to ADCS wasn't an option either. Should this tool work against any member servers and workstations if not abusing ADCS or not? If yes, does the instructions differ between targeting DCs and targeting member servers or workstations? In that case I must be doing something wrong. Perhaps you can screenshot a working example of attacking a member server using the
-secretscommand? - When I use the
-secretscommand it aways errors with "Error parsing SAM dump file: System.IndexOutOfRangeException: Index was outside the bounds of the array". However, before the error occurs the NTLM hash of the RID 500 account is actually still outputted so I can continue the attack. Perhaps you can look into this error? - In cases where RemoteRegistry is disabled/hardened, can the tool be made to fall back to using WMI as used in the tool reg_snake? Assuming of course dumping SAM and LSA is even possible using WMI.
- I understand that the current version of this tool does not support LDAP attacks and indeed, those attacks fails for me. While I can rarely coerce HTTP encapsulated SMBv2 or "plain" SMBv1 from DCs or member servers, coercing HTTP encapsulated SMB from workstations is often possible and allows for taking over those using Shadow Credentials or RBCD. This can be very helpful. This is of course assuming that this tool works against non-DCs (see above).
Thanks!