Introduction: Extracting User Password Data with Mimikatz DCSync Mimikatz provides a variety of ways to extract and manipulate credentials, but probably one of the most useful and scary ways is using the DCSync command. This attack simulates the behavior of a domain controller and asks other domain controllers to replicate information using the Directory Replication Service […]
Introduction: SSP Attacks Mimikatz provides attackers several different ways to store credentials from memory and extract them from Active Directory. One of the more interesting tools provided is the MemSSP command, which will register a Security Support Provider (SSP) on a Windows host. Once registered, this SSP will log all passwords in clear text for […]
AD Permissions Attack #3: Persistence using AdminSDHolder and SDProp Now that we’ve compromised privileged credentials by exploiting weak permissions, it’s time to make sure we don’t lose our foothold in the domain. That way, even if the accounts we’ve compromised are deleted, disabled, or have their passwords reset we can easily regain Domain Admin rights. […]
AD Permissions Attack #2: Attacking Permissions with BloodHound So far in this series, we’ve explored the importance of Active Directory permissions and just how easy it is for attackers to discover vulnerable permissions. Unless an organization has left Domain Admin permissions wide open, perpetrating an attack against Active Directory permissions can get rather complex. A […]
AD Permissions Attack #1: Exploiting Weak Permissions with PowerSploit In the introductory post, we outlined some reasons why attackers may target AD permissions. In this post, we are going to look at specific ways to search for weak permissions. This attack can be perpetrated without any privileges in an environment, so finding these weaknesses is […]
Introduction: Active Directory Permissions Attacks In a previous blog series, we have written about attacks against Active Directory (AD) administrative rights and service accounts. These topics have led to several discussions with coworkers and employees about other ways to penetrate and attack Active Directory environments. Throughout these conversations, one topic was repeatedly overlooked: Active Directory […]
Introduction: Service Account Attacks Whether you realize it or not, service accounts represent a major risk to your data security. I’ve had many customers inquire about how to protect service accounts within their Active Directory environments. Through these conversations, I’ve learned that organizations want to understand the fundamentals of service accounts, and how attackers can […]
Attack #4: Pass-the-Hash with Mimikatz In my previous post, we learned how to extract password hashes for all domain accounts from the Ntds.dit file. In this post, we’re going to see what you can do with those hashes once you have them. Mimikatz has become the standard tool for extracting passwords and hashes from memory, […]
AD Attack #3 – Ntds.dit Extraction With so much attention paid to detecting credential-based attacks such as Pass-the-Hash (PtH) and Pass-the-Ticket (PtT), other more serious and effective attacks are often overlooked. One such attack is focused on exfiltrating the Ntds.dit file from Active Directory Domain Controllers. Let’s take a look at what this threat entails and how […]
AD Attack #2 – Local Admin Mapping Once an attacker has established a foothold inside your domain, their primary objective is to compromise their target as quickly as possible without detection. Whether the target is sensitive data stored on a file server or compromising a Domain Admin account, the attacker must first formulate a plan […]
Start a Free Stealthbits Trial!
No risk. No obligation.