Hacker News new | ask | show | jobs
by kemotep 876 days ago
Well if not setup properly, it is possible to dump the Windows password hashes (and linux too).

You take that list of hashes, and copy to your password cracking rig, where it can run for a few days to see how many password hashes you can find a match for. Then once you have identified a password hash match, you now know an account password.

However, if things aren’t properly secured where an attacker can dump password hashes, they likely can utilize “pass the hash” style attacks as well where you don’t even need to know the password to be able to sign in as a user.
1 comments
px43 876 days ago
Windows networks are notoriously bad about this. If you find yourself on a Windows network, either because you found an active ethernet jack in the lobby, or you get on the wifi, phishing, or you land on a citrix box or whatever, you can run a tool called Responder.

Windows machines on a network are constantly scanning around, looking for new devices, and when they find them, they like to see if they can access them so they show up in network manager or whatever. They do this by trying to log in. Obviously logging in with a password would be insecure, so they try to log in with a hash. Responder pretends to be any sort of server that a Windows machine would try to log in to, so right when you run it, all the nearby machines hand over their hashes.

Crack even one of those hashes, and now you can log in to Active Directory. This will let you get the full list of all users, permissions, groups, machines, and sessions, etc, and basically tell you exactly what you need to do to get anywhere you want (Bloodhound is the main tool people use for this).

That AD account also lets you dump all the SPNs (service accounts) on the network, and because Windows is Windows, of course that gives you something like 20-30 password hashes, many of which are almost certainly Domain Admins on the network.

Crack a Domain Admin account, and you can basically do whatever you want on the network, including doing a dcsync, which is normally used to back up a domain controller, but also dumps every account and NTLM hash straight into your lap. These hashes can be used with pass-the-hash to impersonate any account, or you can just crack them and basically have free access to the network for the rest of your life.

The entire security of Windows networks is based on the premise that password crackers don't exist, which is why they have been fundamentally fucked for decades, and there's zero chance that any of this will ever get fixed.

link