Pass Attacks

Attacks

Netexec

  • We can use nxc to check if our credentials we've acquired work for any machines on the network

$ nxc smb [CIDR range] -u [username] -d [domain] -p [password]

  • We can also use hashes for this:

# ONLY WORKS WITH NTLMV1
$ nxc smb [CIDR range] -u [username] -d [domain] -H [hash]

  • local accounts need the --local-auth flag and no -d flag

  • We can also use nxc to dump the sam with the --sam flag

  • or dump the lsa with the --lsa flag

  • or enumerate shares with the --shares flag

  • or use a mimikatz attack with -M lsassy

Secretsdump.py

  • Good tool to use if we have local admin creds to get hashes as it does all at once:

$ secretsdump.py [domain]/[user]:[password]@[target]

  • You can use a hash by omitting the password (keep the colon) and use the -hashes [hash] flag

wdigest

Older protocol, stored passwords in plain text in the registry (secretsdump would show these)

Defense

Hard to completely prevent but we can make it harders

Limit account re-use

Utilize strong passwords

PAM (Privilege Access Management)

Tools for check-in/out that have rotating passwords

PreviousPassback AttacksNextKerberoasting

Last updated