Performing Pass-the-Hash Attacks with Mimikatz

Performing Pass-the-Hash Attacks with Mimikatz

Attack #4: Pass-the-Hash with Mimikatz

In my previous post, we learned how to extract password hashes for all domain accounts from the Ntds.dit file. In this post, we’re going to see what you can do with those hashes once you have them. Mimikatz has become the standard tool for extracting passwords and hashes from memory, performing pass-the-hash attacks and creating domain persistence through Golden Tickets. Mimikatz can be executed in a variety of ways to evade detection, including entirely in memory as part of the Invoke-Mimikatz command within PowerSploit. Let’s take a look at how easy Mimikatz makes it to pass-the-hash and perform other authentication-based attacks.

Pass-the-Hash

With the hash from the Ntds.dit file in hand, let’s look at how easily Mimikatz can enable us to perform actions on behalf of the Administrator account within the domain.

First, I will log into my computer as the user Adam, who has no special privileges within the domain:

Showing group membership for the logged in user, which contains no domain groups.

As Adam, if I try to execute PSExec, a tool for remote PowerShell execution, against my domain controller I receive an access denied message.

 

 

 

 

 

By issuing a command with Mimikatz, I can elevate my account to that of the Domain Administrator account. This will launch whatever process you specify with this elevated token. In this case, I will launch a new command prompt.

Executing Mimikatz and issuing a pass-the-hash command to launch a command prompt as a privileged user account.

With the newly launched command prompt I can perform activities as Jeff, the Domain Administrator, while Windows still thinks I am Adam. Here you can see I am now able to launch the PSExec session and enumerate the contents of my domain controller’s NTDS directory using the Pass-the-Hash technique.

Using Mimikatz and pass-the-hash to launch a successful PSexec session as an elevated user against a remote domain controller.

With the Ntds.dit file decrypted, every user’s password hash is in my control so I can perform actions on behalf of any user just as easily. This is a scary way to not only gain unlimited access but to cover my tracks and blend in as though I am the users who I am impersonating.

Protecting Against Pass-the-Hash

Pass-the-Hash is difficult to prevent, but Windows has introduced several new features to make it harder to execute. The most effective approach is to implement logon restrictions so your privileged account hashes are never stored where they can be extracted. Microsoft provides best practices to follow a tiered administrative model for Active Directory that ensures privileged accounts will be significantly harder to compromise using such methods. Enabling LSA Protection, leveraging the Protected Users security group, and using Restricted Admin mode for Remote Desktop are some other ways in which you can protect against these attacks.

In addition to proper upfront security, monitoring authentication and logon activity for abnormalities can expose any attempts to leverage these attack paths. Many times, these attacks follow patterns and result in accounts being used in ways that are not normal. Being alerted to this as it occurs can detect an attack before it is too late.

To register for the webinar on the AD Attack Series, please click here.

This is the final installment in our blog series, 4 Active Directory Attacks and How to Protect Against Them. To view the previous blogs, please click on the links below.

Jeff Warren is STEALTHbits’ Vice President of Product Management. Jeff has held multiple roles within the Product Management group since joining the organization in 2010, initially building STEALTHbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining STEALTHbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.

With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering STEALTHbits’ high quality, innovative solutions.

Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.

Leave a Reply

Your email address will not be published. Required fields are marked *

*