From Wikiversity


windows domain[edit]

  • bypassing Windows Domain Group Policy Objects
    1. Disable WFP (windows file protection)
      • sfc_os.dll, wfpadmin.exe
    2. rename gpupdate.exe (WinXP) secedit.exe (Win2K)
    3. registry disable GPO
      • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\disableGPO=1
  • (cache) Chapter 3 Windows User Authentication Architecture
    • pwdump{2,3,4}: Online password hash access tools, use Windows internal RPC functions of the Samr family (SamrQuery InformationUser( ) which support SYSKEY)
    • lsadump/lsadump2: Online access to the LSA Secrets database (It crash the system[1])
    • Applications that need to access the LSA Secrets typically use the LsaStorePrivateData( ) and LsaRetrievePrivateData( )(example) system functions to access LSA Secrets.
      • HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets, $MACHINE.ACC, _SC_ServiceName (service password)
      • DPAPI_SYSTEM: Data Protection API. Data is encrypted using 3DES and a key that is not stored anywhere on the system. CryptProtectData( ), CryptUnprotectData( ), CryptProtectMemory( ). When user change passwd using standard OS tools, DPAPI will automatically open the CREDHIST file, decrypt all the master keys using the old password, and then encrypt all the master keys with the new password.
    • Protected Storage: HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider. Access to the Protected Storage service was provided by means of CryptoAPI functions.
    • SYSKEY
      • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\SecureBoot
        • 1: SYSKEY is stored locally in the registry (SYSTEM file),
        • 2: SYSKEY is derived from an administrator selected password, or
        • 3: SYSKEY will be stored on a floppy disk
      • encryption key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\{JD,Skew1,GBG,Data}, HKEY_LOCAL_MACHINE\Security\Policy\PolSecretEncryptionKey, HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\F
  • creddump
    • lsadump2: advapi32.LsarQuerySecret (inject dll to bypass permission)
    • cachedump: lsa key from lsass.exe memory + advapi32.SystemFunction005 --> decrypt NL$KM
    • Cain & Abel: offline, advapi32.SystemFunction005
  • Circumventing Group Policy Settings: regmon