search

key-skeletonPass Attacks

hashtag
Attacks

hashtag
Netexec

  • We can use nxc to check if our credentials we've acquired work for any machines on the network

$ nxc smb [CIDR range] -u [username] -d [domain] -p [password]

  • We can also use hashes for this:

# ONLY WORKS WITH NTLMV1
$ nxc smb [CIDR range] -u [username] -d [domain] -H [hash]

  • local accounts need the --local-auth flag and no -d flag

  • We can also use nxc to dump the sam with the --sam flag

  • or dump the lsa with the --lsa flag

  • or enumerate shares with the --shares flag

  • or use a mimikatz attack with -M lsassy

hashtag
Secretsdump.py

  • Good tool to use if we have local admin creds to get hashes as it does all at once:

$ secretsdump.py [domain]/[user]:[password]@[target]

  • You can use a hash by omitting the password (keep the colon) and use the -hashes [hash] flag

hashtag
wdigest

Older protocol, stored passwords in plain text in the registry (secretsdump would show these)

hashtag
Defense

Hard to completely prevent but we can make it harders

hashtag
Limit account re-use

hashtag
Utilize strong passwords

hashtag
PAM (Privilege Access Management)

Tools for check-in/out that have rotating passwords

PreviousPassback AttacksNextKerberoasting

Last updated