Random Flashcards
What is Pass the Hash ?
A hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user’s password,
What can pass the hash target?
This technique can be performed against any server or service accepting LM or NTLM authentication.
What kind of ATT&CK Technique is pass the hash ?
It is primarily a lateral movement technique.
How do you execute a pass-the-hash attack ?
To execute a pass-the-hash attack, the attacker obtains the hashes from the targeted system using any hash-dumping tools, such as fgdump and pwdump7.
The attacker then uses these tools to place the obtained hashes on a Local Security Authority Subsystem Service (LSASS).
How to mitigate a pass-the-hash attack
Because pass-the-hash exploits the features and capabilities of the NTLM protocol, the threat of pass-the-hash attacks cannot be eliminated completely.
To mitigate the threat of a pass-the-hash attack, organizations should ensure domain controllers can only be accessed from trusted systems without internet access.
Two-factor authentication that uses tokens and the principle of least privilege should also be enforced.
Compensating control: Organizations should closely monitor hosts and traffic within their networks for suspect activity.
PKI Certificate Types:
Root: This issues other certificates, OR allows for the creation of trusted certificates.
User: associated to a user, can be used in authentication (something you have).
Email:
What is Kerberoasting ?
Kerberoasting is a post-exploitation attack technique that attempts to obtain a password hash of an Active Directory account that has a Service Principal Name (“SPN”).
How do Kerberoasting attacks work?
Kerberoasting attacks exploit a combination of weak encryption techniques and simple or low-complexity passwords. These attacks typically follow the below process:
1) A threat actor compromises the account of a Domain User.
2) The threat actor uses the Domain User context to request a Kerberos service ticket from the ticket granting service (TGS) using tools like GhostPack’s Rubeus or SecureAuth Corporation’s GetUserSPNs.py.
3)The threat actor receives a ticket from the Kerberos key distribution center (KDC). The ticket is encrypted with a hashed version of the account’s password.
4)The threat actor captures the TGS ticket and takes it offline.
5)The threat actor attempts to crack the SPN credential hash to obtain the service account’s plaintext password using brute force techniques or tools like Hashcat or JohnTheRipper.
6)With the service account password in hand, the threat actor attempts to authenticate as the service account and is granted access to any service, network or system associated with the compromised account.
7)The attacker is then able to steal data, escalate privileges or set backdoors on the network to ensure future access.
How do you detect and stop Kerberoasting Attacks?
1) Ensure strong password hygiene
2) Identify privileged service accounts (blood hound)
3) monitoring the Windows event log for anomalous ticket-granting service (TGS) requests. Events 4769 and 4770 in subcategory Audit Kerberos Service Ticket Operations audit all TGS requests and renewals. These events should be examined for:
Use of RC4 encryption — Because RC4 is considered a weak algorithm, TGS requests and replies that include an encryptionType of 0x17 (rc4-hmac) are suspicious. RC4 hashes can be brute forced more easily than AES, so an adversary may attempt to explicitly request RC4 for this purpose.
Abnormal volume of TGS requests