Week 9: NTLM

Active Directory Exploitation - This lesson focuses on the recognition of vulnerabilities and exploitation tactics in an internal Active Directory environment. Attacks that will be introduced include: LLMNR poisoning/hash cracking, SMB hash relaying, pass the hash, token impersonation, kerberoasting, GPP/c-password attacks, and PowerShell attacks. More attacks will likely be added as the lesson is written, but the most common have been provided.

Important Readings

FuzzySecurity | Windows Privilege Escalation Fundamentalswww.fuzzysecurity.com

Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)Medium

Notes

CrackMapExec and psexec

• install crackmapexec

• msf5 > use exploit/windows/smb/psexec

• try all the target options for psexec: set target 3

  • Automatic

  • Powershell

  • Native Upload

  • MOF upload

• sysinfo

  • x64 Architecture but 32-bit Meterpreter

  • you can look through payloads and find a better one sometime

In meterpreter shell, type load and hit tab twice to see all the different things to load, e.g. kiwi, mimikatz

• Process Migration, get a x64 Meterpreter shell

• Local Administrator account could be the same across many computers if IT images them from the same base image.

• You can pass the hash with crackmapexec -H or with psexec

NTLM Relay

If communications are not digitally signed, you can NTLM relay. SMB signing is defaulted OFF.

• Heath demonstrates environment were a user has administrative privileges on multiple machines.

• Edited Responder.conf: Turned off SMB and HTTP server

• Start Responder.py -I eth0 -rdw

  • Wait

• point a victim machine to yours to in File Explorer e.g. \\192.168.202.173