AD Lateral Movement: Pass-the-Hash (PtH) Attacks
overview
Description
A Pass-the-Hash (PtH) attack is a credential theft technique primarily targeting Windows-based systems. In this attack, an attacker obtains the hashed password of a user and uses it to authenticate as that user, bypassing the need for the actual plain-text password. The attack typically starts with the attacker gaining unauthorized access to a compromised system where the target user's hashed password is stored. Once the hash is acquired, the attacker can exploit weaknesses in the Windows authentication protocol, such as NTLM or Kerberos, to pass the hashed credentials to other systems within the Active Directory domain. By bypassing the need to crack the password, the attacker can move laterally within the network, escalate privileges, and potentially carry out malicious activities.
Tasks
Lab Environment
In this lab environment, you will be provided with GUI access to a Windows machine (2012). This machine will serve as your attacker machine. Your task in this lab is to perform Pass-the-Hash attack to gain access to the Domain Controller.
Objective: Perform Pass-the-Hash attack to gain access to the Domain Controller.
Note: All the tools are present in the C:\Tools directory.
Tools
The best tools for this lab are:
PowerView
Invoke-TokenManipulation.ps1
Invoke-Mimikatz.ps1
Solution
Step 1: Open the lab link to access the attacker machine:
Step 2: Navigate to C:\Tools. Gather information about the current domain using PowerView.ps1. Run the following commands:
Commands:
The name of the current domain is research.SECURITY.local and the Fully Qualified Domain Name (FQDN) of the Domain Controller (DC) is prod.research.SECURITY.local.
Step 3: Next, find a machine in the current domain, on which the current user i.e. student has local admin access.
Command:
We can notice that student has admin access on the seclogs.research.SECURITY.local machine.
Step 4: Access the seclogs.research.SECURITY.local machine using the following command:
Command:
Success!
Step 5: Check the current user privilege.
Command:
We have full privileges on the seclogs.research.SECURITY.local machine.
Step 6: Next, we need to setup hfs.exe (HTTP File Server) on the attacker machine to serve the PowerShell scripts (Invoke-Mimikatz.ps1 & Invoke-TokenManipulation.ps1). All these tools are inside the C:\Tools directory. Drag and drop these two PowerShell scripts to hfs.exe as shown below.
Step 7: Now, import the Invoke-TokenManipulation.ps1 script on the target machine. We will use this script to enumerate all the available tokens.
Commands:
We have successfully imported the script, in the memory. Now, enumerate all the available tokens:
Command:
We can notice that research\administrator has logged into this machine.
Step 8: Next, import Invoke-Mimikatz.ps1 script on the target machine and dump NTLM hash of the logged in users.
Commands:
We found the NTLM hash of the Domain administrator i.e. 84398159ce4d01cfe10cf34d5dae3909, which we can utilize to perform a Pass-The-Hash attack.
Step 9: Now, we will perform a Pass-The-Hash attack using Mimikatz to gain Domain administrator privileges in the powershell.exe shell. To perform Pass-The-Hash attack, we need high privilege access on the machine, so run PowerShell as administrator and then execute the following commands:
Commands:
We have successfully performed Pass-The-Hash attack using the Domain admin NTLM hash.
Step 10: Now, access the Domain Controller:
Command:
Success!
Conclusion
In this lab, we performed Pass-the-Hash attack to gain access to the Domain Controller.
References
Last updated