Week 9: NTLM
NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
Last updated
Was this helpful?
NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
Last updated
Was this helpful?
Active Directory Exploitation - This lesson focuses on the recognition of vulnerabilities and exploitation tactics in an internal Active Directory environment. Attacks that will be introduced include: LLMNR poisoning/hash cracking, SMB hash relaying, pass the hash, token impersonation, kerberoasting, GPP/c-password attacks, and PowerShell attacks. More attacks will likely be added as the lesson is written, but the most common have been provided.
install crackmapexec
msf5 > use exploit/windows/smb/psexec
try all the target options for psexec: set target 3
Automatic
Powershell
Native Upload
MOF upload
sysinfo
x64 Architecture but 32-bit Meterpreter
you can look through payloads and find a better one sometime
In meterpreter shell, type load and hit tab twice to see all the different things to load, e.g. kiwi, mimikatz
Process Migration, get a x64 Meterpreter shell
Local Administrator account could be the same across many computers if IT images them from the same base image.
You can pass the hash with crackmapexec -H or with psexec
If communications are not digitally signed, you can NTLM relay. SMB signing is defaulted OFF.
Heath demonstrates environment were a user has administrative privileges on multiple machines.
Edited Responder.conf: Turned off SMB and HTTP server
Start Responder.py -I eth0 -rdw
Wait
point a victim machine to yours to in File Explorer e.g. \\192.168.202.173
