Hacking Notes
  • Hacking Notes
  • Penetration Testing Methodology
    • Host Discovery
    • Information Gathering
    • Exploit Research
    • Exploit Development
    • Exploit Testing
    • Exploiting
    • Information Gathering
    • Privilege Escalation
  • Shells
    • Reverse Shell Cheat Sheet
    • Bind Shell Cheat Sheet
    • Webshells
    • C Shell
  • Stuck?
  • LICENSE
  • Windows
    • Windows Information Gathering
    • Windows PrivEsc
      • Method
      • PE Scripts
      • Potatos
      • Windows Privs
    • Transferring Files
    • Active Directory
      • ad-attacks
      • auth-enumeration
      • unauth-enumeration
      • authentication-delegation
      • reference
      • Kerberos
        • Authentication Delegation
      • mind-map
    • LNK Files
    • SCF Files
    • Compile Code
    • Tips & Tricks
  • Linux
    • Linux OS Information Gathering
    • Linux PrivEsc
      • methodology
      • Privilege Escalation Scripts
        • LinEnum
    • Hosting Files
    • Linux File System
    • Scheduling Jobs
    • POSIX
      • Scripting
      • Notes
  • Web Application Testing
    • Methodology
    • Enumeration
    • Attacks
      • SQLi
      • File Inclusion
      • Directory Traversal
      • Cross-Site Scripting
      • Login Forms
      • Content Injection
      • XSS
    • Assessment Tools
      • ZAP
      • ffuf
      • Nikto
      • wpscan
      • zap
    • Wordpress
      • wpscan
    • Apache
    • Nostromo
  • Services
    • Services
      • Active Directory Administration
      • Cups
      • DFSR
      • DHCP Client
      • DHCP Server
      • DNS
      • FTP
      • HTTP
      • HTTP(S)
      • IIS
      • Imap Encrypted
      • IMAP
      • IPsec
        • Kerberos
        • LDAP
        • ldaps
        • MSRPC
        • MSSQL
        • MySQL
        • Netbios Datagram Service
        • Netbios Name Service
        • Netbios Session Service
        • NFS
        • NNTP
        • NTP
        • Oracle
        • POP3
        • POP3 Encrypted
        • RDP
      • Redis
        • RFSP
        • RPCbind / Portmapper
        • RSIP
        • RTSP
      • RSYNC
        • SMB
        • SMTP
        • SNMP
        • SSH
        • Telnet
        • TFTP
        • VNC
      • VNC Remote Desktop
      • VNC Web Interface
        • WinRM
      • Wins
  • Containers
    • Docker
  • Buffer Overflow
    • Buffer Overflow
    • win32
  • Tools
    • Windows
      • chisel
      • mimikatz
      • mssqlclient.py
      • plink
      • psexec.py
      • smbeagle
      • winexe
    • Linux
      • chisel
      • evil-winrm
      • exiftool
      • Impacket
        • GetADUsers
        • GetNPUsers
        • getST
        • getTGT
        • GetUserSPNS
        • secretsdump
        • smbclient
        • wmiexec
      • jd-gui
      • ldapsearch
      • strings
      • smbeagle
      • Helpful Sites
  • Misc
    • Tunneling
    • Cryptography
    • Regex
    • Tools to Checkout
  • Password Cracking
    • Hashcat
    • John The Ripper
  • Tunneling
    • Tunnels
  • Web3
    • Introduction
    • Audit Process
    • Report Writing
    • List of Tools
    • Web3 References
Powered by GitBook
On this page
  • Pass-the-Hash
  • Kerberoasting
  • Token Kidnapping

Was this helpful?

  1. Windows
  2. Active Directory

ad-attacks

  1. Pass-the-Hash

  2. Kerberoasting

  3. Golden Ticket

  4. DCShadow

  5. LDAP Injection

  6. Privilege Escalation

  7. Pass-the-Ticket

  8. DCSync

  9. AD Replication

  10. NTLM Relay

  11. Token Kidnapping

  12. Overpass-the-Hash

  13. RDP Hijacking

  14. Group Policy Modification

  15. AD Delegation

Pass-the-Hash

A Pass-the-Hash attack is a type of attack that allows an attacker to authenticate to a system using only the hash of a user's password, rather than the password itself. The attack typically starts with the attacker gaining access to a system, either through exploiting a vulnerability or by using social engineering.

Once the attacker has access to the system, they can use a tool like Mimikatz to extract the password hashes from the system's memory. The password hashes are stored in the Windows Local Security Authority (LSA) process, which is a protected process that runs in the kernel.

Mimikatz can extract the password hashes by injecting a DLL into the LSA process and then reading the memory of the process. The extracted password hashes are in the form of the NT Hash (NTLM) or the LAN Manager Hash (LM) format, both of these are the hashed version of the password.

Once the attacker has the password hashes, they can use them to authenticate to other systems on the network using the same username and hash. This is possible because the Windows authentication process uses a challenge-response mechanism.

In Pass-the-Hash attack, the attacker typically uses the NT Hash (NTLM) or the LAN Manager Hash (LM) of a user's password to authenticate to other systems on the network.

NT Hash (NTLM) is a one-way hash function that is used to encrypt a user's password in Windows. It is based on the Data Encryption Standard (DES) algorithm, and the resulting hash is 128-bits long.

LAN Manager Hash (LM) is an older hash function that is also used to encrypt a user's password in Windows. It is considered less secure than the NT Hash because it is based on a weaker encryption algorithm and it has a known weakness that allows the hash to be easily cracked.

It's worth noting that since the release of Windows 10 and Windows Server 2016, LM hashes are not stored by default, and the use of NTLMv2 or Kerberos are recommended.

It's also important to note that even if the attacker has the hash, it's still not the same as the plain text password, and cracking the hash is required to get the plain text password which can take a long time, but with the help of specialized cracking tools and powerful hardware, it can be cracked.

The attack can be mitigated by implementing the following security controls:

  • Enabling network-level authentication for Remote Desktop Protocol (RDP)

  • Enabling Restricted Admin mode for RDP

  • Enabling LSA protection

  • Using Local Administrator Password Solution (LAPS)

  • Implementing a strong password policy

  • Using multi-factor authentication

  • Implementing a Privileged Access Management (PAM) solution

Kerberoasting

Kerberoasting is an attack technique that allows an attacker to extract the password hashes of user accounts in an Active Directory (AD) domain, by requesting and then cracking their Kerberos Ticket-Granting Tickets (TGTs).

Kerberos is an authentication protocol that is commonly used in Windows-based networks. It uses a ticket-based authentication system, where a user's credentials are verified by a Key Distribution Center (KDC), and the user is issued a Ticket-Granting Ticket (TGT). The TGT is encrypted with the user's password hash and can be used to request service tickets for other systems on the network.

In a Kerberoasting attack, an attacker with access to the AD domain can request TGTs for all or a subset of the user accounts in the domain. The TGTs are encrypted with the user's password hash, so the attacker can extract the password hash by cracking the TGT. The attacker can use specialized tools or offline cracking methods to crack the TGTs and extract the password hashes.

The Kerberoasting attack can be mitigated by implementing the following security controls:

  • Using a strong password policy

  • Enabling account lockout policies

  • Implementing Kerberos armoring

  • Implementing Group Policy Objects (GPOs) to restrict Kerberos delegation

  • using Kerberos policies

  • Implementing a Privileged Access Management (PAM) solution

  • Implementing a Security Information and Event Management (SIEM) solution

It's important to note that Kerberoasting is a well-known attack, and new security controls are continuously being developed to mitigate it. Additionally, it's important to conduct regular security assessments and penetration tests to identify vulnerabilities and weaknesses in the AD environment, and to implement the appropriate security controls to prevent these attacks.

Token Kidnapping

Token Kidnapping is a type of attack that allows an attacker to steal a user's security token and use it to impersonate the user and gain access to resources on the network. A security token is a set of security-related information that is associated with a user and is used to authenticate the user and authorize their access to resources.

The attack typically starts with the attacker gaining access to a system, either through exploiting a vulnerability or by using social engineering. Once the attacker has access to the system, they can use a tool like Mimikatz to extract the security token of the user who is currently logged in. The security token is stored in memory and can be extracted by injecting a DLL into the Local Security Authority (LSA) process and then reading the memory of the process.

Once the attacker has the security token, they can use it to impersonate the user and gain access to resources on the network. The attack can be used to gain access to sensitive information, to make unauthorized changes to data, or to elevate the attacker's privileges on the network.

The attack can be mitigated by implementing the following security controls:

  • Implementing AppLocker or Software Restriction Policies to prevent the execution of malicious code

  • Enabling User Account Control (UAC)

  • Implementing a privilege access management solution

  • Implementing a strong password policy

  • Using multi-factor authentication

  • Implementing a Security Information and Event Management (SIEM) solution

PreviousActive DirectoryNextauth-enumeration

Last updated 2 years ago

Was this helpful?