PowerShell, Azure, and Password Hashes in 4 steps

In our previous blog post, we talked about how you can obtain the password hashes from a Domain Controller within Azure without ever needing to interact with the system itself. We walked through each step when interacting with the Azure web portal to take a snapshot, convert it to a disk, and mount it on a new virtual machine. After publishing the post, we were asked if it could easily be done via the command line. So this blog post will walk you through the process of obtaining hashes from a domain controller within Azure using PowerShell.

This post, similar to the last one, assumes you have the credentials of an account with access to a domain controller within Azure.

1. Set Up PowerShell to Interact with Azure

First, you will need to import the Azure cmdlets into your current PowerShell session, and then authenticate to Azure via PowerShell.

Authenticating to Azure

With our PowerShell session authenticated, we can now use Azure specific PowerShell cmdlets to accomplish everything we want to do. First, you might want to know what region and resource group the virtual machine you are targeting is running in. You can list active resource groups with the “Get-AzResourceGroup” cmdlet.

Get-AzResourceGroup Output

In this case, we can see the resource group being used is called “InternalDomain” and it’s running in the West US 2 region. Next, you might want to enumerate virtual machines running within this resource group. That can be done with the “Get-AzVm” cmdlet.

Get-AzVM Output

2. Take a Snapshot of the D.C.’s disk

Now, we know there is a virtual machine called “Server2016DC” that is running Windows Server 2016 within the InternalDomain resource group. At this point, we have the information needed to build out our command to create a snapshot. We’re going to capture the data we need in a variable from the “Get-AzVm” cmdlet to create a snapshot.

Capture VM Specific Information

Next, you need to build the configuration for the snapshot with the “New-AzSnapshotConfig” cmdlet based on the output of the “Get-AzVm” cmdlet. Once the configuration is built, then all that is needed is for you to create the snapshot with the “New-AzSnapshot” cmdlet.

Generate a Snapshot

3. Convert the Snapshot into a Virtual Disk

Now that you created a snapshot, all that’s left to do is convert the snapshot into a virtual disk. First, you will use the “Get-AzSnapshot” cmdlet to specify the snapshot you want to convert, then you will build the virtual disk’s configuration with the “New-AzDiskConfig” cmdlet, and finally you will create a new disk with the “New-AzDisk” cmdlet.

Creating a Virtual Disk

With that, our disk has been created! If you wanted to verify (and had the ability to do so), you could log into the Azure portal and see your newly created disk.

New Virtual Disk

4. Attach the Disk to a V.M.

All that is left now is to attach the disk to a virtual machine, and obtain the hashes! At this point, I will leave this as an exercise to the reader, but there’s plenty of documentation available to help perform this last step.

If you have any questions at all, be sure to Contact Us and we will be happy to answer them. If this looks interesting to you, be sure to come to our Intrusion Operations class at BSides Augusta to learn more!