March 18, 2023 / By Securium Solutions
Hello everyone, Welcome to the new blog. In this blog you will be learning a new attack which we can perform in active directory and it is a post exploitation attack which comes under Lateral Movement. If you don’t know Pass the hash attack then is you get any user hash you may have cracked it or may be unsuccessful in cracking. Think if we don’t need to crack it, if we can directly utilize it as a normal password.
Yes, it is possible with a attack named Pass the Hash.
Let’s start with it’s name, we can guess it’s meaning and working by it’s name itself.
A “Pass the Hash attack” is a type of credential theft attack that is commonly used against systems that use Windows Active Directory (AD) for authentication. In this attack, an attacker obtains the hash of a user’s password from a compromised system and uses it to authenticate as the user on other systems in the same AD domain.
As I mentioned previously it is a post exploitation attack, so attacker have a access or have compromised a system.
Then, the attacker can try to dump SAM or get other user hash.
We can take help of many tool to get user hash.
We can take the help of Impacket’s Secretdump module which tries to get hashes from SAM and LSA secrets from registries, NTDS etc.
impacket-secretsdump domain.local/user:Password1@192.168.0.1
We can also take help of Crackmapexec.
If we have username and password and don’t know IP of system then we can use Crackmapexec following command by which Crackmapexec will move around the network and tries username and password and will dump SAM file.
crackmapexec smb 192.168.0.0/24 -u user -d domain.local -p Password1 –sam
We can use multiple tools e.g mimikatz and techniques and can perform manually to get hashes.
Now, what after getting hashes. Now it’s time to use hash and pass around the network just by using hash.
We can use multiple tools to use that hash attack to get access to other users.
We can use Crackmapexec to do the same. Most probably we don’t know the IP of user and the hash belong to. So, we can give it network range so, that it will attempt to loging with username and password hash.
crackmapexec 192.168.1.0/24 -u user -H hash-we-got –local
We can also get a proper shell by using Impacket utility Psexec.
Using above command we may have get the IP adress the user belong to.
Now by using following command we can get the proper shell.
impacket-psexec username@192.168.1.10 -hashes hash
There are a lots of tools using which we can perform Pass the Hash and perform multiple tasks over the compromised systems.
Administrators can prevent from Pass the Hash attack by using NTLMv2.
Because we can only perform Pass the Hash over NTLM not over NTLMv2.
Now, it’s time to conclude the blog we will meet over next blog.
Author
Saurabh Kumar
Cyber Security Intern
