https://crimsonlabs.io/tags/password/Recent content in Password on CrimsonLabsHugo -- gohugo.ioen<a href="https://crimsonlabs.io/attack-simulation/" target="_blank" rel="noopener">Attack Simulation</a>Sun, 23 Aug 2020 16:36:25 +0000https://crimsonlabs.io/posts/pass-the-hash/Sun, 23 Aug 2020 16:36:25 +0000https://crimsonlabs.io/posts/pass-the-hash/Consider this: Threat actor compromises your website running on IIS Successfully elevated privileges to SYSTEM Domain user with admin privileges logged-in in the past and thus has their password hash saved in the local machine. Actor dumped SAM and LSA hashes, revealing usernames &amp; password hashes (sometimes clear-text) Usernames are checked against the domain for privileges, e.g. net user SomeUser /domain After verifying the user is Domain Admin, actor can move laterally and authenticate to the Domain Controller machine without knowing the actual admin password It’s a very straight to the point scenario and sometimes the attack route isn’t so direct.https://crimsonlabs.io/posts/dumping-hashes/Thu, 18 Jun 2020 06:08:00 +0000https://crimsonlabs.io/posts/dumping-hashes/After getting admin access, one of the first thing you should try is to extract password hashes. Having these at hand is pivotal in moving laterally in the network. Sysinternals’ procdump can be used to do a memory dump of the lsass.exe process. Be careful though, this has been known to trip Windows Defender. If you have fast enough fingers, you can copy the dump file before it gets deleted by defender.