Questions on moving vertical movement in AD-based network – Digitalmunition

Home Forums Questions on moving vertical movement in AD-based network

This topic contains 0 replies, has 1 voice, and was last updated by  anonymous 1 month, 2 weeks ago.

  • Author
  • #369898



    Just a budding infosec student here with a few questions on attacking AD-based networks.

    Current scenario:
    I’ve gained access to a large AD-based network. There is a small group of PCs that are exempted from a GPO that disables NBT-NS. Due to this, I was able to capture domain user hashes using Responder. However, none of them have local admin privileges and all of the local admin accounts use LAPS. Let’s also assume that all servers and PCs are up to date with patches.

    I want to now gain escalated privileges, but not sure how to proceed. I’ve been reading about a lot of attacks for moving laterally, but from what I understand, they require local admin privileges. For example, SMB Relay talks about jumping around through PCs and dumping stored hashes, but local admin privileges are needed to dump said hashes. The same goes for viewing tokens, etc.

    So, can I do anything with these regular domain user hashes? How would I proceed from there? Any advice, direction toward specific attacks, or reading material is greatly appreciated.

    Additional questions:

    * If a regular domain user is logged in and elevates privileges of a program with domain admin credentials, does that create and store a token? Does it leave behind anything of use?
    * Among the domain user credentials captured with Responder, I captured a hash of a PC host. What is that about? ie Hostname1:092830498hash

    Thank you for your time!

You must be logged in to reply to this topic.