Lateral Movement in Active Directory from Linux
Hardening and auditing Active Directory
Attacking from linux
Attacking from Windows
Linux in AD
Spraying password technique in the domain with crackmapexec
This technique, while effective, is quite noisy and is not a good choice for any assessments that require stealth.
Attacking SAM
If we have a foothold in the target machine, we can retrieve other credentials existing in the host memory:
Memory and cache: mimipenguin, lazagne and Firefox_decrypt
Many applications and processes work with credentials needed for authentication and store them either in memory or in files so that they can be reused.
Firefox stored credentials:
The tool Firefox Decrypt is excellent for decrypting these credentials, and is updated regularly. It requires Python 3.9 to run the latest version. Otherwise, Firefox Decrypt 0.7.0
with Python 2 must be used.
Pass the Hash (PtH)
A Pass the Hash (PtH) attack is a technique where an attacker uses a password hash instead of the plain text password for authentication.
- Pass the Hash with Mimikatz (Windows)
- Pass the Hash with PowerShell Invoke-TheHash (Windows)
- Pass the Hash with Impacket (Linux)
- Pass the Hash with CrackMapExec (Linux)
- Pass the Hash with evil-winrm (Linux)
- Pass the Hash with RDP (Linux)
- UAC Limits Pass the Hash for Local Accounts