Introduction
This post will demonstrate how it is possible to gain access to administrator accounts without knowing the password. The attack works by passing the users local hash in place of the password.
This attack only works with local SAM hashes(NTLM) and not Domain hashes(NTLM2). As demonstrated in a previous post, these local hashes can be acquired via Local SMB Relay attack. https://swepssecurity.blogspot.com/2021/02/capturing-local-sam-hashes-via-smb.html. Since many administrators use the same passwords for both local and domain accounts it is possible to login to a domain controller and other high value systems using only local hashes.
Hash Spraying
Say you have an Administrators NTLM hash on a network that has hundreds or even thousands of computers. Trying to login with the hash on each and every system would be a near impossible task. Not only that, enumerating the NTLM hashes on each system to gain further access would be even more of a nightmare. Luckily there is a tool called "crackmapexec" which is designed for exactly this purpose and part of Impackets suite.
crackmapexec is able to use a single hash and spray the entire subnetwork with it to not only try and gain access but once gaining access to a system, dumping all of those local hashes as-well. Crackmapexec is able to spray for the following protococols: ldap, ssh, smb, winrm and mssql. I will be spraying for smb logins. Note the --sam switch to dump the local SAM hashes once accessed.
crackmapexec smb 192.168.1.0/24 -u Administrator -H 64f12cddaa88057e06a81b54e73b949b --sam
As you can see the Administrator has local accounts on a number of systems including a Server2019 system.
Logging into accounts using the hash
To login to an account using the hash we can use Impackets psexec tool.
psexec.py Administrator:@192.168.1.50 -hashes aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b
Mitigation
- Avoid re-using local account passwords
- Disable Guest and Administrator accounts
- Do not use the same passwords for Domain and Local accounts
- Rotate passwords
- Limit the local administrators
captcha security You can now find sites that allow open interaction in real time chat rooms, instant messaging, or even through your webcam in a video chat room.
ReplyDeleteOutstanding post, you have pointed out some excellent points , I as well believe this s a very good website. Pen Testing
ReplyDeleteanti-captcha thanks for sharing your info with us.
ReplyDeleteI’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... https://singaporesecuritycompany.weebly.com/
ReplyDeleteWow, this was quite a hefty information to consume even after reading about penetration testing
ReplyDeleteI was looking for a video guide and thanks for posting this actually. Pentest
ReplyDeleteYou make so many great points here that I read your article a couple of times. keep posting. Anti captcha key
ReplyDeleteThanks for the blog loaded with so many information. Stopping by your blog helped me to get what I was looking for. Blog
ReplyDeleteThanks for providing recent updates regarding the concern, I look forward to read more. Pen Testing
ReplyDelete2captchaThanks for sharing this amazing information with us.
ReplyDeletePlease share more like that. reverse mortgage in Utah
ReplyDeleteWow, What a Excellent post. I really found this to much informatics. It is what i was searching for.I would like to suggest you that please keep sharing such type of info.Thanks internetbeskyttelse
ReplyDeleteI have a mission that I’m just now working on, and I have been at the look out for such information anti captcha .
ReplyDelete
ReplyDelete1Password is designed with privacy at its core. Its zero-knowledge architecture means the data you save in 1Password can’t be accessed by anyone else, including us.
Password Manager
Actually I read it yesterday but I had some thoughts about it and today I wanted to read it again because it is very well written. anti captcha
ReplyDeleteI am looking for and I love to post a comment that "The content of your post is awesome" Great work! Facebook Accounts
ReplyDeleteI really enjoy simply reading all of your weblogs. Simply wanted to inform you that you have people like me who appreciate your work. Definitely a great post. Hats off to you! The information that you have provided is very helpful. สล็อตโจ๊กเกอร์
ReplyDeleteanti captcha I really enjoy simply reading all of your weblogs.very nice information.
ReplyDeleteI wanted to thank you for this excellent read!! I definitely loved every little bit of it. I have you bookmarked your site to check out the new stuff you post. Uniarch
ReplyDeleteHi, I find reading this article a joy. It is extremely helpful and interesting and very much looking forward to reading more of your work.. Uniarch
ReplyDeleteThis is my first time i visit here and I found so many interesting stuff in your blog especially it's discussion, thank you. 2captcha
ReplyDelete