Active Directory Security— Pass The Hash Attack
Pass the Hash Attack is a technique to bypass authentication mechanisms with NTLM hash of a user’s password, instead of its real password.
If an attacker obtains valid user name and user password hash values by using different methods and tools, then s/he are able to use that hash values to authenticate to a remote server or service using Pass the Hash Attack. There is no need to perform brute force attack to the hashes to obtain the clear-text password. Pass the hash attacks can be very difficult to detect because attackers use “legitimate” credentials to pull them off.
If you remember my first article about Active Directory, Active Directory Security — Reconnaissance, I setup a Active Directory Lab on my own computer. You can check the machines and detailed information about the lab environment.
I performed Pass-the-Hash attack through the local Administrator account. During setup we set the same local admin password on adsec-00 as well as on adsec-01. Therefore the NTLM hashes are the same on both computers.
- Start Mimikatz with admin rights and then run the following commands:
privilege::debug token::elevate lsadump::sam sekurlsa::pth /user:Administrator /ntlm:7dfa0531d73101ca080c7379a9bff1c7 /domain:doesnotmatter
We use the pth-function in Mimikatz to get a shell with the hash of the local admin account.
Purpose of the Mimikatz commands
privilege::debug — It’s used to get debug rights. By default, the Administrators group has debug rights. Debug still has to be “activated” by running “privilege::debug”.
Debug privilege is a security policy setting that allows users to attach a debugger to a process or to the kernel. An administrator can modify a security policy for a user group to include or to remove this functionality. This user privilege provides complete access to sensitive and critical operating system components. By default, this property is enabled for users with Administrator rights. A user with Administrator privileges can enable this property for other user groups.
token::elevate — impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box.
lsadump::sam — get the SysKey to decrypt SAM database and dumps credentials for local accounts.
sekurlsa::pth — pass the hash. /user : the username that we want to impersonate. /ntlm : NTLM hash of the user’s password. /domain: the fully qualified domain name.
2. Connect to adsec-01 using psexec.
cd C:\attacker-tools .\PsExec64.exe \\adsec-01 cmd
First, as user “john” we impersonate local admin account and got the shell by using the pth-function on adsec-00 machine.
Then we used psexec to execute a process on a remote machine. We started a cmd with administrator account on the adsec-01 machine.
