Post-Compromise Attacks in AD: Credential Validation with CrackMapExec
“P.S. I wrote this article while still learning Active Directory penetration testing myself, so ther 2026-7-4 04:32:56 Author: infosecwriteups.com(查看原文) 阅读量:8 收藏

Kavin Jindal

“P.S. I wrote this article while still learning Active Directory penetration testing myself, so there may be gaps or imperfections in places. Any kind of constructive feedback is welcome.”

In this write-up, I will demonstrate post-compromise attacks in an Active Directory environment. The attacks will be carried out on a local AD lab setup using Windows Server 2016 and two Windows Enterprise user machines THEPUNISHER and SPIDERMAN . The fcastle user has local administrative privileges on both machines for testing purposes.

Post-compromise attacks are only carried out after the attacker has gained initial access to the network. In this demonstration, we will assume access to a domain user credential that we obtained via LLMNR poisoning.

Using Crackmapexec to validate credentials

Here, we will use Crackmapexec and check if an already obtained credential can authenticate on other machines on the domain.

CrackMapExec is a popular tool used to pentest AD Environments. It’s no longer maintained and was replaced by NetExec, which is a fork of the tool with more modules.

Consider the user fcastleof whom we obtained the password via LLMNR poisoning and hash cracking. We will use it here to check if the credentials are valid for any other hosts on the network via the SMB protocol

crackmapexec smb 192.168.91.0/24 -u fcastle -p Password1 -d MARVEL.local

Press enter or click to view image in full size

As you can see, CrackMapExec scans the whole subnet for targets and applies the credentials to all the available machines. Here we can see that the credentials can be used on two machines, i.e THEPUNISHER and SPIDERMAN . The Pwn3d! tag indicates that fcastle has local administrator privileges on both the machines as well.

Dumping SAM hashes

We can dump SAM hashes of the users on local machines. Keep in mind these hashes are of the local and not domain accounts.

Get Kavin Jindal’s stories in your inbox

Join Medium for free to get updates from this writer.

Remember me for faster sign in

We can also dump SAM hashes using the --sam flag.

Press enter or click to view image in full size

As you can see in the above image, the SAM hashes of all the available accounts on the SPIDERMAN and THEPUNISHER machines were dumped successfully.

We can also usesecretsdump from the Impacket suite to dump the SAM hashes in case CME dumping does not work.

impacket-secretsdump marvel/fcastle:[email protected]

Press enter or click to view image in full size

As you can see, the tool provides much more than just SAM hashes, such as LSA secrets.

We can further use the above information and gain access to a device via psexec.py from the Impacket suite.

impacket-psexec.py marvel/fcastle:[email protected]

Press enter or click to view image in full size

As you can see, we have gained a shell on the target after validating the credentials using CME.

It should be noted that using psexec.py is a very noisy method to gain a shell on the target as it drops an executable binary on the system. These days it gets easily flagged by Microsoft Defender, and I myself had to disable virus protection just for the sake of demonstration.

Hash cracking

We can use the above-obtained SAM hashes and crack them using Hashcat.

hashcat -m 1000 hashes.txt rockyou.txt

I did not perform this process on my device, considering I don’t have the required hardware to conduct hash-cracking. But if you have a good device with a dedicated GPU, then conducting this process should be a breeze. Hash-cracking also depends heavily upon the complexity of the password and will take a lot less time if it is short in length or less complex.


文章来源: https://infosecwriteups.com/post-compromise-attacks-in-ad-credential-validation-with-crackmapexec-8eb31304f924?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh