Total Pageviews

Saturday, September 18, 2021

Active Directory CORPORATIVE.domain.local Series[VI] : NTLM hashes and local/domain authentication architecture

Hi everyone!,

So far so good, right now in this post we are going to review theoretical concepts about NTLM hashes over users types with crackmapexec utility:

The first of all is review the Microsoft local authentication architecture from a high level point of view, as you can see on the Microsoft official documentation, the architecture components of authentication process are the following:



On the previous image there are two interesting places from the attacker point of view , on the architecture design very important from the attacker point of view:

    - SAM: in that place the operative system stored the NTLM hashes from computer local users.

    - LSA: in that place the operative system stored the NTLM hashes of the domain users.


Obviously the diferent between this kind of users is important:

    - The local users could  be logon on the local machine without network connection.

    - The domain users could be logon on any machine over corporative.domain.local environment.


How to obtain it, using administrative credentials over any machine  it's posible dump  the SAM, like i explained in previous post of the active directory series or the LSA, an execution example for this attack using crackmapexec tool over the  corporative.domain.local environment :


    - Obtianing dump of SAM NTLM hashes :

    


    - Obtaining dump of LSA NTLM hashes :



There are an other important place on the Domain controller architecture required on the authentication process.

Windows Active directory has a local  database that contains all the doamin users with its credentials on NTLM hash format, as you can see on the following architecture design:




And of course, it could be obtained using crackmapexec tool with a domain controller admin. 



   Finally there are a lot of techniques that we can use for logon in a target machine such a user with hash NTLM credentials:

    - crackmapexec

    - psexec

    - evil-winrm

    - pth-rpcclient

    - pth-smbclient

    - pth-smbget

    - pth-sqsh

    - pth-winexe

    - pth-wmic

    - pth-wmis

    - xfreerdp

But i'm going to create an speciall post only for this kind of attacks, in advance a couple of exmaples:

- Dump lsa from domain controller and enable rdp on every active domain computers, finally loged using remote desktop protocol:




- Pass the hash access using wmi.exec tool:




 And this is all, for this Active directory Attack, I hope that you enjoy with my sixth windows entry and you'll follow my blog [https://roadtooscp-f0ns1.blogspot.com/]. We'll keep in touch.


with kind regards, f0ns1


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Mi primera experiencia en una conferencia:

En la jornada posterior a un evento importante toca analizar, en este caso me centro en mi participación como speaker en #librecon2022. ¿Cóm...