Pass Attacks
Last updated
Last updated
In cybersecurity, pass attacks exploit the authentication mechanisms of networked systems by using hash credentials rather than plaintext passwords. These attacks allow lateral movement within a network, often bypassing conventional security restrictions.
Step 1: Initial Setup with CrackMapExec
CrackMapExec is a powerful post-exploitation tool for enumerating and exploiting Active Directory (AD) environments. First, we ensure that CrackMapExec is functioning correctly by viewing the available options:
Step 2: Running SMB Commands
To explore SMB (Server Message Block) shares and services, we can start by listing the help options specific to SMB:
We then connect to the network, specifying the target subnet and credentials. In this phase, we successfully obtain the credentials of the Punisher and Spiderman machines, allowing access to additional resources and revealing valuable information about other accessible systems on the network.
The command uses CrackMapExec to scan the 192.168.92.0/24 subnet for SMB services. It attempts to authenticate with the username fcastle and password Password1 on the domain MARVEL.local. If successful, it enumerates SMB shares and gathers information about the devices in the network. This is typically used for network reconnaissance and SMB vulnerability testing during penetration testing.
Step 3: Testing Authentication with Hashes
We use the -H option to leverage hash-based authentication, which specifies NTLM hash values instead of plain-text passwords. This technique is crucial in pass-the-hash attacks, where plaintext passwords are unnecessary.
Step 4: Enumerating SAM Accounts and Shares
SAM (Security Account Manager) databases and shared folders are common targets in network environments. Enumerating these allows us to view stored credentials and shared resources, providing insight into the network’s structure
SAM Enumeration
Shared Folders Enumeration
Step 5: Local Security Authority (LSA) Enumeration
The Local Security Authority (LSA) maintains various security policies and account information. Accessing it provides further credential-based access.
Step 6: Listing All Available SMB Shares
We use the -L option to enumerate SMB shares across the network. This step provides visibility into the shared resources accessible to the specified user, offering insight into sensitive data or high-privilege directories.
Step 7: Running LSASSY Module
Lsassy is an extraction tool that works alongside CrackMapExec to dump credentials from the Local Security Authority Subsystem Service (LSASS).
Step 8: Database Enumeration and Switch to CMEDB
We switch to CMEDB, CrackMapExec’s integrated database module to manage and review data on extracted hosts. This module allows us to view host details and extracted data.
Enter CMEDB
Check Hosts and Shares
hosts
Shares
SecretsDump is utilized to retrieve hashed credentials from systems, providing direct access to SAM hashes.
Dumping Hashes with Credentials
2. Using Alternate Credentials
3. Dumping Hashes with a Provided Hash
Cracking Retrieved Hashes with Hashcat
Once hashes are extracted, we proceed with cracking them to reveal passwords. After creating a file for the hashes:
· Create a Hash File
Then, paste the copied hash into this file.
· Verify NTLM Hash Format
· Crack Hashes with Hashcat
hashcat: This is the tool used for high-performance password cracking. Hashcat supports various hashing algorithms and allows us to perform dictionary, brute-force, and hybrid attacks.
-m 1000: The -m option specifies the hashing algorithm. In this case, 1000 is the mode identifier for NTLM hashes. NTLM is a hash format used mainly by Windows operating systems to store password hashes. The mode 1000 tells Hashcat that the hashes in the file ntlm.txt are NTLM hashes and to use the appropriate algorithm.
ntlm.txt: This is the input file containing the NTLM hashes to be cracked.
rockyou.txt: This is the wordlist or dictionary file used by Hashcat to attempt cracking the hashes.
Pass the Hash / Pass the Password
While it is challenging to fully prevent pass attacks, several mitigations can significantly raise the difficulty for attackers:
Limit Account Re-use
o Unique Passwords for Each Local Administrator Account: Avoid re-using the same password across different local administrator accounts.
o Disable Guest and Built-In Administrator Accounts: Disabling these accounts reduces attack entry points, as they are often default targets.
o Apply the Principle of Least Privilege: Restrict local administrator rights to only essential personnel and systems to minimize the risk and impact of an account being compromised.
2. Utilize Strong Passwords
o Enforce Long and Complex Passwords: Require passwords longer than 14 characters with a mix of upper and lower case letters, numbers, and symbols. Stronger passwords increase the difficulty of successful brute force and pass-the-hash attacks.
3. Multi-Factor Authentication (MFA)
o Adding MFA, especially for privileged accounts, greatly enhances security by requiring additional verification steps beyond just the password or hash.
4. Network Segmentation and Isolation
o Separate High-Risk and Critical Systems: Segment the network so that high-value assets, such as domain controllers and critical servers, are isolated from other network zones. This restricts lateral movement if one account or machine is compromised.
