Attack #4: Pass-the-Hash with Mimikatz
In my previous post, we learned how to extract password hashes for all domain accounts from the Ntds.dit file. In this post, we’re going to see what you can do with those hashes once you have them. Mimikatz has become the standard tool for extracting passwords and hashes from memory, performing pass-the-hash attacks and creating domain persistence through Golden Tickets. Mimikatz can be executed in a variety of ways to evade detection, including entirely in memory as part of the Invoke-Mimikatz command within PowerSploit. Let’s take a look at how easy Mimikatz makes it to pass-the-hash and perform other authentication-based attacks.
With the hash from the Ntds.dit file in hand, let’s look at how easily Mimikatz can enable us to perform actions on behalf of the Administrator account within the domain.
First, I will log into my computer as the user Adam, who has no special privileges within the domain:
As Adam, if I try to execute PSExec, a tool for remote PowerShell execution, against my domain controller I receive an access denied message.
By issuing a command with Mimikatz, I can elevate my account to that of the Domain Administrator account. This will launch whatever process you specify with this elevated token. In this case, I will launch a new command prompt.
With the newly launched command prompt I can perform activities as Jeff, the Domain Administrator, while Windows still thinks I am Adam. Here you can see I am now able to launch the PSExec session and enumerate the contents of my domain controller’s NTDS directory using the Pass-the-Hash technique.
With the Ntds.dit file decrypted, every user’s password hash is in my control so I can perform actions on behalf of any user just as easily. This is a scary way to not only gain unlimited access but to cover my tracks and blend in as though I am the users who I am impersonating.
Protecting Against Pass-the-Hash
Pass-the-Hash is difficult to prevent, but Windows has introduced several new features to make it harder to execute. The most effective approach is to implement logon restrictions so your privileged account hashes are never stored where they can be extracted. Microsoft provides best practices to follow a tiered administrative model for Active Directory that ensures privileged accounts will be significantly harder to compromise using such methods. Enabling LSA Protection, leveraging the Protected Users security group, and using Restricted Admin mode for Remote Desktop are some other ways in which you can protect against these attacks.
In addition to proper upfront security, monitoring authentication and logon activity for abnormalities can expose any attempts to leverage these attack paths. Many times, these attacks follow patterns and result in accounts being used in ways that are not normal. Being alerted to this as it occurs can detect an attack before it is too late.
To register for the webinar on the AD Attack Series, please click here.
This is the final installment in our blog series, 4 Active Directory Attacks and How to Protect Against Them. To view the previous blogs, please click on the links below.
- AD Attack #1 – Performing Domain Reconnaissance (PowerShell)
- AD Attack #2 – Local Admin Mapping (Bloodhound)
- AD Attack #3 – Extracting Password Hashes from the Ntds.dit File