Post-Exploitation in Windows: From Local Admin To Domain Admin (efficiently)

There are some excellent tools and techniques available to pentesters trying to convert their local admin rights into domain admin rights.  This page seeks to provide a reminder of some of the most common and useful techniques as well as rating their effectiveness to suggest which ones to try first.

The premise of all the techniques is to obtain access to as many domain accounts as possible using the credentials stored on the domain member you’ve compromised.

Tools are briefly discussed for each technique.  This page is really about the techniques, though, not the tools.  While tools will change, I suspect these techniques will be with us for some considerable time yet.

I’ve tried to rate each technique in order of how much effort it is for the pentester.  Some technqiues give almost instant results and are therefore worth trying first.  Others require password cracking and are a last resort really if nothing else works.

Very Quick: Duplicate Access Tokens (Incognito)

Incognito, either as a standalone tool, or via metasploit’s meterpreter will scan through all the running processes on the box and list you the delegation tokens it finds.  Without doing any analysis yourself you can try creating a domain admin account with each token.  If it succeeds without any effort on your part, so much the better.

If you don’t succeed in getting a domain admin account straight away, you may still be able to abuse the privileges of a normal domain user (e.g. to list domain accounts and group memberships).  Perhaps try the techniques below before trying too hard…

Quick: Dump LSA Secrets (lsadump)

If any Windows services are running under a domain account, then the passwords for those accounts must be stored locally in a reversible format.  LSAdump2, LSASecretsDump, pwdumpx, gsecdump or Cain & Abel can recover these.

You might have to stare at the output of lsadump and the list of services in

After you’ve correlated plain text passwords from the “_SC_<service name>” sections of LSAdump with the domain usernames from services.msc using the short “service name”, you should a list of domain accounts and cleartext passwords.

Investigate your new found accounts and see if you’re domain admin yet.

Quick: Dump SAM-Style Hashes for Access Tokens (WCE)

Windows Credentials Editor (a more mature version of the now obsolete Pass The Hash Toolkit) recovers the SAM-style password hash for each process from LSASS – including domain accounts.  Initially, this has a similar effect to Incognito.  But has a couple of advantages:

  • You can authenticate using the hash long after the corresponding process has terminated or the system has been rebooted.  You can do this using WCE itself, or use tools like psexec (example here), smbshell and metasploit’s psexec to authenticate using a password hash instead of a password.
  • You can try the password hash in conjunction with a different username (or all usernames) using keimpx, or similar.  You’re hoping for password reuse at this stage.

Gsecdump is an alternative tool for obtaining password hashes for running processes.

If SAM-style hashes aren’t sufficient for some reason, WCE can also steal kerberos tickets (PDF link) – e.g. to authenticate to unix systems.  Pass-the-ticket as opposed to pass-the-hash.

Quick: Dump SAM, Spray Hashes

Dumping the password hashes from the local SAM using fgdump, pwdump7Cain & Abel, etc. won’t necessarily get you a domain account, but if one of the local passwords is the same as one of the domain passwords, you might be in luck.  Keimpx will help you try the hashes again the domain accounts.

Careful not to lock the domain accounts out, though!

It’s probably worth spraying the hashes against the local accounts on other systems.  If you fail to get domain admin, you might get local admin on every other system if the local admin passwords are the same.  You can then rinse and repeat the techniques on this page until you get your domain admin account.

Slow: Cracking SAM-Style Password Hashes Crack Passwords

If you’ve already tried authenticating using the hashes you’ve collected and you’ve tried hashes against other accounts, there’s probably little value in cracking the passwords.  John the Ripper, Cain & Abel and ophcrack are just a few of the password crackers available.

You might find a pattern in the passwords used.  Possibly crack hashes from the password history too.

Another reason to crack passwords is if you’re targeting a service that insists on you knowing the password – e.g. Terminal Services.

It’s starting to feel like a longshot now…

Very Slow: Dump Cached Domain Logons, Crack

If the domain member has cached domain logons, you might be able to recover passwords from the corresponding hashes (e.g. using  fgdumppwdumpxcachedump, meterpreter).  However, hashes are salted and they’re case sensitive.  If there’s a reasonable password policy, you’re going to need some luck.

You can’t use these hashes without cracking them – unlike the SAM-style hashes.

Other Techniques

There are of course other many other techniques you could try.  Some are more open-ended or less likely to succeed in the general case.  Here are a few ideas:

  • Trawling the filesystem looking for passwords.  Unattend.txt might have an admin password in it if present.  You can probably recover the SAM from .vhd files.  Other backup files may also yield passwords.
  • Trawling the registry.  Credentials such as VNC password and SNMP community string can be recovered.  They might be useful on your quest for domain admin.
  • Protected Storage.   This might yield passwords that are reused elsewhere.