- March 6, 2021 at 1:19 pm #369898
Just a budding infosec student here with a few questions on attacking AD-based networks.
I’ve gained access to a large AD-based network. There is a small group of PCs that are exempted from a GPO that disables NBT-NS. Due to this, I was able to capture domain user hashes using Responder. However, none of them have local admin privileges and all of the local admin accounts use LAPS. Let’s also assume that all servers and PCs are up to date with patches.
I want to now gain escalated privileges, but not sure how to proceed. I’ve been reading about a lot of attacks for moving laterally, but from what I understand, they require local admin privileges. For example, SMB Relay talks about jumping around through PCs and dumping stored hashes, but local admin privileges are needed to dump said hashes. The same goes for viewing tokens, etc.
So, can I do anything with these regular domain user hashes? How would I proceed from there? Any advice, direction toward specific attacks, or reading material is greatly appreciated.
* If a regular domain user is logged in and elevates privileges of a program with domain admin credentials, does that create and store a token? Does it leave behind anything of use?
* Among the domain user credentials captured with Responder, I captured a hash of a PC host. What is that about? ie Hostname1:092830498hash
Thank you for your time!
You must be logged in to reply to this topic.