Pwning a Domain Joined PC in under a minute
Posted by Peter Bassill on 26/04/2017On of the biggest threats to the enterprise network is where an attack can gain physical access to a network connection. There is a small flaw in the way Microsoft perform Active Directory level authentication on a network. Where an attacker is able to gain an internal network connection, it is possible to perform a man in the middle attack on that authentication handshake and recover the NetNTLMv2 hash of the password.
Once a NetNTLMv2 hash is captured, it is a simple case of running the hash through a tool such as hashcat to turn the hash into a clear text password. While on a normal PC a standard 12 character password with upper case, lower case letters, numbers and special characters can take around 60 days to complete, a standard gaming laptop can do this in under 12 hours using it's GPU. Where an attacker has some money available, it is possible to do this in minutes by leverage the Amazon GPU clusters.
In this video, Peter, our CEO, demonstrates how to gain access to a domain joined PC and then spawn a reverse shell back to our command and control system.