This article provides a technical walkthrough of Pass-the-Hash (PtH) attacks against Windows Active Directory, demonstrating exploitation across SMB, WinRM, WMI, MSSQL, RDP, and LDAP using tools like nxc, Impacket, Metasploit, Evil-WinRM, pth-winexe, Mimikatz, and Rubeus. It includes a lab setup (ignite.local with a Windows Server 2019 DC), detailed command examples for lateral movement and credential dumping, and mitigation strategies such as Credential Guard, NTLM restrictions, and tiered administration. #Mimikatz #ignite.local
Keypoints
- Pass-the-Hash enables authentication using NTLM hashes without needing the plaintext password.
- Multiple protocols (SMB, WinRM, WMI, MSSQL, RDP, LDAP) are shown to be vulnerable to PtH lateral movement.
- Common offensive tools demonstrated include nxc, Impacket, Metasploit, Evil-WinRM, pth-winexe, Mimikatz, and Rubeus.
- A single compromised administrator NTLM hash can lead to full domain compromise in an Active Directory environment.
- Effective mitigations include enabling Credential Guard, restricting NTLM, enforcing least privilege, SMB signing, and implementing a tiered administration model.
Read More: https://www.hackingarticles.in/lateral-movement-pass-the-hash-attack/