Attackers mercilessly abuse misconfigurations and a lack of hardening of the Active Directory. The attacker quickly became a domain administrator.

IT security: Passwords and hashes – how attackers compromise the domain Via Windows services to the domain administrator On the hunt for additional users First collect and analyze, then attack Plain text is past Pass the Hash and Overpass the Hash Execute commands remotely I want all hashes: DCSync Conclusion Article in iX 11/2020 read This article describes the Active Directory (AD) How criminals and security testers profitably convert the treasures of data that they have accumulated while searching a domain (“enumeration”) into authentication material such as hashes and thus shimmy from user to user and in the network from computer to computer – to systems with the crown jewels the attacked organization. Short ways to the domain administrator are also presented.

The article on AD enumeration had shown how attackers spy out information about the domain environment in which they ended up by compromising a Windows system or a Linux server in the same network. Information disclosure such as passwords in user descriptions and techniques such as password spraying help them to work their way to the next systems in the AD.

However, if the initially affected users do not have elevated rights, intruders operate in the domain still with low privileges and cannot change their configuration immediately Incidentally, this does not mean that the all-clear can be given: If the user account initially affected is that of the research director, the intruders with their permissions immediately cracked the jackpot and can steal intellectual property. Likewise if the access of an accountant who can initiate transfers is compromised.

Access to all contents of heise + exclusive tests, advice & background: independent, critically sound c’t, iX, Technology Review, Mac & i, Make, c’t read photography directly in the browser register once – read on all devices – can be canceled monthly first month free, then monthly 9, 95 € Weekly newsletter with personal reading recommendations from the editor-in-chief Start FREE month Start your FREE month now Already subscribed to heise +?

Sign in and read Register now and read the article immediately More information about heise + IT security: Passwords and hashes – how attackers compromise the domain Via Windows services to the domain administrator On the hunt for additional users First collect and analyze, then attack Plain text is past Pass the Hash and Overpass the Hash Execute commands remotely I want all hashes: DCSync Conclusion Article in iX 11/2020 read