It has been a while since i have updated the website with a new blog.
In april i have passed the eCPPT exam which made me hungry for more. the exam was challenging as well and i found it very useful.
Eventually i will try to pass the OSCP but first i am going to learn for the CISSP exam which i think will be very hard.
In the meantime i am focussing on pentesting the Active Directory on very different manners and i will try to blog this for myself and future followers.
The first part i am going to explain how you can steel hashes in a Windows environment.
My AD-Hack-LAB contains:
- Windows server 2016 (adhack.lab Domain Server, 192.168.10.10)
- Windows 10 computer (domain joined as WIN10PC1, 192.168.10.20)
- Windows 10 computer (domain joined as WIN10PC2 192.168.10.30)
- Windows 10 computer (not domain joined (WIN10PC3, 192.168.10.40)
- Kali linux 2019.1 (AttackerPC, 192.168.10.60)
Pentesting the Active Directory – stealing hashes
Almost more then 80% of the company’s is using Microsoft as their standard OS.
This means that in a corporate environment NTLM/NTLMv2 hashes are send over the network for authentication.
As a pentester capturing these hashes and using them for lateral movement is very interesting.
A tool we can use for capturing the hashes is responder which is default installed on Kali.
Responder -I eth0
If the victim is mistyping a share responder will respond to it and will capture the hash as you can see below
We then copy the hash an place it in a hash.txt file.
We then can try to decrypt the password with hashcat which is also installed default on Kali.
Hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt –force