In our previous blog post, we talked about how you can obtain the password hashes from a Domain Controller within Azure without ever needing to interact with the system itself. We walked through each step when interacting with the Azure web portal to take a snapshot, convert it to a disk, and mount it on a new virtual machine. After publishing the post, we were asked if it could easily be done via the command line. So this blog post will walk you through the process of obtaining hashes from a domain controller within Azure using PowerShell.
This post, similar to the last one, assumes you have the credentials of an account with access to a domain controller within Azure.
1. Set Up PowerShell to Interact with Azure
First, you will need to import the Azure cmdlets into your current PowerShell session, and then authenticate to Azure via PowerShell.
With our PowerShell session authenticated, we can now use Azure specific PowerShell cmdlets to accomplish everything we want to do. First, you might want to know what region and resource group the virtual machine you are targeting is running in. You can list active resource groups with the “Get-AzResourceGroup” cmdlet.
In this case, we can see the resource group being used is called “InternalDomain” and it’s running in the West US 2 region. Next, you might want to enumerate virtual machines running within this resource group. That can be done with the “Get-AzVm” cmdlet.
2. Take a Snapshot of the D.C.’s disk
Now, we know there is a virtual machine called “Server2016DC” that is running Windows Server 2016 within the InternalDomain resource group. At this point, we have the information needed to build out our command to create a snapshot. We’re going to capture the data we need in a variable from the “Get-AzVm” cmdlet to create a snapshot.
Next, you need to build the configuration for the snapshot with the “New-AzSnapshotConfig” cmdlet based on the output of the “Get-AzVm” cmdlet. Once the configuration is built, then all that is needed is for you to create the snapshot with the “New-AzSnapshot” cmdlet.
3. Convert the Snapshot into a Virtual Disk
Now that you created a snapshot, all that’s left to do is convert the snapshot into a virtual disk. First, you will use the “Get-AzSnapshot” cmdlet to specify the snapshot you want to convert, then you will build the virtual disk’s configuration with the “New-AzDiskConfig” cmdlet, and finally you will create a new disk with the “New-AzDisk” cmdlet.
With that, our disk has been created! If you wanted to verify (and had the ability to do so), you could log into the Azure portal and see your newly created disk.
4. Attach the Disk to a V.M.
All that is left now is to attach the disk to a virtual machine, and obtain the hashes! At this point, I will leave this as an exercise to the reader, but there’s plenty of documentation available to help perform this last step.
If you have any questions at all, be sure to Contact Us and we will be happy to answer them. If this looks interesting to you, be sure to come to our Intrusion Operations class at BSides Augusta to learn more!