Primary Content: Home

PrivEsc: Stealing Windows Access Tokens – Incognito

If an attacker is able to get SYSTEM level access to a workstation, for example by compromising a local administrator account, and a Domain Administrator account is logged in to that machine then it may be possible for the attacker to simply read the administrator’s access token in memory and steal it to allow them to impersonate that account. There’s a tool available to do this, it’s called Incognito.

Continue reading: PrivEsc: Stealing Windows Access Tokens – Incognito

Custom Rules for John the Ripper

Whilst Hashcat is often provable faster than John the Ripper, John is still my favourite. I find it simple to use, fast and the jumbo community patch (which I recommend highly) comes packed with hash types making it a versatile tool.

One of the features of these tools, which is often unknown or at least under appreciated is the ability to create custom “rules” for teaching the tool how to dynamically generate potential passwords. Since Microsoft implemented “Password Complexity” and this was enforced around the globe, user have made the jump from a password of: password, to the [sarcasm]much more secure[/sarcasm]: Password1.

Continue reading: Custom Rules for John the Ripper

Deploying: Microsoft’s Local Administrator Password Solution (LAPS)

A common and critical vulnerability exploited during penetration tests is that of reused Local Administrator passwords. This issue is a common one it allows an attacker to find a vulnerable machine on a network, pull the administrative hash out of that machine and then log-in to a more interesting machine or ultimately privilege escalate.

Continue reading: Deploying: Microsoft’s Local Administrator Password Solution (LAPS)

PrivEsc: Dumping Passwords in Plaintext – Mimikatz

A tool exists for dumping plaintext passwords out of memory on Windows, it requires Local Administrator level privileges but it’s a great tool for privilege escalation from Local Admin to Domain Admin. There are Windows EXEs available but it’s also been rolled into Meterpreter! It can also inject a hash into memory to effectively perform a local pass-the-hash attack! If you want to run it on a remote machine remember to check out this post on running remote commands on Windows machines.

Continue reading: PrivEsc: Dumping Passwords in Plaintext – Mimikatz