Active Directory Post-Compromise Lab – Using CrackMapExec, Hash Dumping, and Pass-the-Hash Authentication

Objective

Today’s goal was to perform local enumeration and hash dumping on compromised hosts, then validate admin privileges using CrackMapExec (CME) with dumped credentials.

so i simulate a post-compromise scenario in an Active Directory (AD) environment using tools like CrackMapExec, secretsdump.py, and Impacket suite to:

  • Enumerate network systems via SMB

  • Identify valid credentials across multiple hosts

  • Dump local SAM hashes

  • Attempt pass-the-hash authentication and remote command execution

 Lab Setup

I continued using the same lab environment from the beginning of my Active Directory (AD) journey:

  • πŸ–₯️ Attack Machine – Kali Linux

  • πŸ’» Windows 10 Workstation (Victim 1)

  • πŸ’» Windows 10 Workstation (Victim 2)

  • πŸ–²️ Windows Server (Domain Controller)

All machines are part of the same AD lab network.

 Step 1: Network Enumeration and Credential Validation

After obtaining valid domain credentials, I scanned the subnet using CrackMapExec to identify accessible hosts and test authentication as seen below.




Successfully authenticated to multiple hosts using valid domain credentials.
Pwn3d! indicates administrative access.

Step 2: Dumping Local SAM Hashes

I attempted to dump local account hashes from discovered hosts using --sam:


Outcome:

Retrieved local SAM hashes from accessible Windows 10 machines.

Step 3: Offline Hash Extraction with secretsdump.py

Used secretsdump.py to perform offline hash extraction from saved registry hives:


Extracted local user hashes.

Step 4: Pass-the-Hash Authentication (Local)

Tried authenticating using baska2’s NTLM hash across network:


✅ Valid hash on SULTANHASSAN
❌ Invalid elsewhere

 Step 5: Share Enumeration

Using the authenticated session, I enumerated available shares


shares directory is writable  potential upload point for tools or payloads.

Key Takeaways

StepOutcomeInsight
Network EnumerationDiscovered 3 AD hosts
Password SprayValid creds for multiple machines
SAM DumpExtracted local user hashes
Pass-the-HashValid authentication on one host
Privilege EscalationNo admin rights
Remote ShellRPC access denied

Mitigation

To prevent similar attacks in a real-world Active Directory (AD) environment, the following defensive measures are recommended:

  1. Enforce Strong Password Policies

    • Require a minimum length of 14 characters.

    • Enforce complexity requirements (uppercase, lowercase, numbers, symbols).

    • Implement password expiration and history policies.

  2. Implement Local Administrator Password Solution (LAPS)

    • Randomizes local admin passwords per machine.

    • Prevents attackers from reusing hashes across multiple hosts (mitigates Pass-the-Hash).

  3. Restrict Lateral Movement

    • Disable SMBv1 and ensure SMB Signing = True.

    • Use firewall rules to limit SMB and RPC access only to necessary hosts.

  4. Monitor for Suspicious Authentication

    • Log and monitor failed login attempts and NTLM authentications.

    • Use SIEM solutions (e.g., Splunk, Microsoft Sentinel) to detect Pass-the-Hash activity.

  5. Apply the Principle of Least Privilege (PoLP)

    • Remove users from the local Administrators group unless absolutely required.

    • Avoid using domain admin accounts for daily operations.

  6. Regularly Patch and Update Systems

    • Ensure all Windows hosts are updated with the latest security patches to prevent exploitation via known vulnerabilities.

Comments

Post a Comment

Popular posts from this blog

Using Hydra to Brute-Force SSH And WI-Fi Login Portal

Image
  Welcome back again to my cybersecurity blog! i'm Basit Hassan, a student penetration tester passionate about ethical hack ing. On this blog, i'll be sharing tutorials, walkthroughs, and real-world exploitation techniques  that i've personally tested and can get you started in the penetration testing field. Today's post, i'll demonstrate how to use Hydra , a powerful brute-forcing tool, to test login credentials on a SSH server and a WI-FI admin portal. This test was done on my own network and machine to show how attackers operate and how to protect against them. What is Hydra? Hydra is a powerful tool used by penetration testers to automate brute-force attacks on various protocols like SSH, FTP, HTTP, and more. In this blog, we’ll learn how to use Hydra to brute-force SSH logins and web-based login forms safely in a lab environment. πŸ”“ What is a Brute-Force Attack? A brute-force attack is a method use to gain unauthorized access to account and systems by trying co...
Read more

Discover AWS Organization ID Via S3 Bucket

Image
  Welcome to my cybersecurity blog! i'm Basit Hassan, a student penetration tester passionate about ethical hack ing. On this blog, i'll be sharing tutorials, walkthroughs, and real-world exploitation techniques  that i've personally tested and can get you started in the penetration testing field. Today's post is about AWS pentesting using an assume breached scenario, where the target  organization provide you with low level credentials,command line interface credentials that you can connect to the AWS CLI (Command Line Interface) with.  Let The Hacking Begin!!!! we will be using platform called CYBR click on the url and create a free account and do this lab along side with me  https://cybr.com/hands-on-labs/lab/discover-aws-organization-id-via-s3-bucket/  this is how the interface looks like below πŸ‘‡πŸ‘‡after creating  an account and starting the lab  once it's ready you are going to get an Access key ID and a Secret Access key. So now if you are n...
Read more

SMB Relay Attack in AD Lab (Step-by-Step)

Image
Welcome back again to my cybersecurity blog! I'm Basit Hassan, a Vulnerability Assessment and Penetration Tester passionate about ethical hacking. On this blog, I’ll be sharing tutorials, walkthroughs, and real-world exploitation techniques that I’ve personally tested all designed to help you get started and grow in the penetration testing field. Today’s post , I’ll demonstrate how I leveraged SMB Relay attacks in my Active Directory lab to understand how attackers exploit network misconfigurations and relay authentication requests. This simulation was done in my own isolated lab environment to show how these attacks work  and more importantly, how to secure your network against them.  What is an SMB Relay Attack? SMB Relay is a man-in-the-middle (MITM) attack technique where an attacker intercepts and relays authentication requests from one system to another, without cracking any password. Instead of capturing and brute-forcing hashes, SMB Relay forwards the authenticatio...
Read more