Tuesday, October 17, 2017

Exploiting a VMWare File Lock Hole - LET'S GRAB THAT VMDK AND NTDS.DIT!

An interesting note on VMware file locks...

The VMDK file is locked by the ESX hypervisor when the host is active. Without access to the vCenter instance or SAN/NAS/Storage device directly, this is a problem.

This is a problem particularly when your target is privileged information... like the NTDS.DIT file for an Active Directory domain.

As you can probably guess, this was an issue I recently investigated and an attack that was devised from it.

VMware places a lock on the active VMDK file to prevent any sort of tampering/corruption/access issues with a live host. This is, by design, a safeguard against a number of attacks. When presented with hypervisor access (strictly on specific hosts), but the ability to administer parts of the system, this is a fairly easy issue to bypass.

In this case, I was after the NTDS.DIT file. This attack blended a number of operational security flaws and strategies to bypass active security controls.

First, with access to the hypervisor and disks, the issue is removing any restrictions by VMware to accessing the VMDK file which operates as the fixed disk for the host. Without a command line or vCenter, you aren't left with many options.

So what do you do?

Shoot the hostage.

Snapshot the host.

Snapshotting the host creates a new VMDK delta file. Essentially, for hypervisors, this becomes the "new hard disk", with the OLD, original VMDK file as the "reference disk." The new VMDK DELTA FILE is where the host goes to write/read any changes from the reference disk. The lock on the original disk is essentially "moved" to the new disk. The old disk exists as a reference and restore point.

From this point onward, you are able to clone/copy the original VMDK file as you see fit with NO restrictions from VMware.

Next, you take the original VMDK file and copy it to a new location. This allows you to spin up a NEW host with the old disk, enabling you to modify or play with the original machine. As Active Directory logs changes and syncs via DFS, you will have a copy of the schema as of whatever that period of update is set by the network administrator.

The problem now becomes "How do I get that NTDS.DIT file?"

I'm glad you asked.

This is an OLD SCHOOL trick from a LONG TIME ago.

You have the ability now to treat the DOMAIN CONTROLLER as if it's a physical host. In ye olden days, this was gold.


Spin up the new host and it will likely fail. This is good.

Load up an ISO (you can do this on another host, but windows security will be an issue for permissions.) that allows you to obtain file system access. (Hiren's is a nice choice.)

Boot the ISO on the new host with the ISO as your boot/live disk.

(Edit: Yes, I know that in certain environments, just loading up an ISO or live disk *cough*kali or a vanilla Linux*cough*  and copying the files out directly is much shorter and completely valid as an attack here. The issue at hand was an additional layer of security that made that type of attack here unfeasible and unnecessarily "loud".)

Navigate to the system drive: \windows\system32.

You will see two files of interest. CMD.EXE and UTILMAN.EXE.

UTILMAN is awesome. It's the accessibility option/menus for windows that HAPPENS to be accessible pre-login. (Windows + U or the icon in the lower left corner.)
Rename UTILMAN.EXE to something else. DON'T DELETE IT.

Make a copy of CMD.EXE (or whatever executable you want) and rename it UTILMAN.EXE.

Reboot the target into windows. You may want to try DIRECTORY SERVICES RESTORE MODE and it may only boot to that. Without network connections, the DC will likely take 30 minutes to boot, if at all.

Directory services restore mode is fantastic. Typically, you can't login to a DC as a local admin as windows keeps you from doing so, to prevent this exact type of attack.

DSR allows you to do so.

Eventually, you will boot into windows in DSR. Hotkey WINDOWS KEY + U or click the icon in the bottom left corner... VOILA! You are presented, prelogin with a command line running in the context of NT AUTHORITY / SYSTEM. This is a non-interactive, super user account.

Change the local password through this command line to one of your choosing.

Next, login locally to the AD domain controller with this and you are now the administrator of the machine.

From this point, extraction of the SYSTEM hive and NTDS.DIT is fairly simple. Copy/paste the files to a different location, reset the security descriptors and exfiltrate the data. Since you DON'T WANT TO HOOK IT UP TO THE NETWORK, an alternate drive/vmdk to copy to works... or you can simply add the VMDK as a hard drive on another host you do control.

That's it. A nice way to obtain privileged, secured system data from a host with only hypervisor access.



  1. I can’t believe focusing long enough to research; much less write this kind of article. You’ve outdone yourself with this material without a doubt. It is one of the greatest contents. Folder Lock For Andriod Download - Don't Waste Time Seeking, Read About PC Desktops On this page folder password protecting

  2. I'm going to say to my little brother, that he should also pay a quick visit this weblog on a regular basis to obtain updated from latest gossip. Our site: How To Lock Files Business Using Your Childhood Memories

  3. Movie-watching websites that are more than movie-watching websites Because we are the number 1 free movie site in Thailand for a long time, including new movies, Thai movies, Western movies, Asian movies, we have all kinds of ways for you Including new series Full of all stories without interstitial ads to keep annoying anymore. One place sa-movie.com.

    Android and IOS operating systems. Watch online movies, Thai movies, Western movies, Asian movies, Cartoon movies, Netflix Movie, Action Movies, Comedy Movies, Crime Movies, Drama Movies, Horror Movies, Adventure Movies, Crash Movies and still have many new movies to watch. You can watch for free anytime, anywhere 24 hours a day at see4k.com.

    GangManga read manga, read manga, read manga online for free, fast loading, clear images in HD quality, all titles, anywhere, anytime, on mobile, tablet, computer. Android and IOS operating systems. Read top comics, action dramas, comedy, adventure, horror and manga. New coming every day to watch many more. Can be read for free anytime anywhere 24 hours a day at gangmanga.com..

    It is no secret that football is among the most popular and widely watched sports. Everybody who likes football tries to find the best platform for free soccer streaming. So, what are the best free sports streaming sites? We are going to answer this question. On this page, you can find a detailed overview of the most widespread soccer streaming websites. Keep on reading and make the best choice for you live24th.me.