Posts

Introduction If you feel like experimenting yourself, the NT hash dataset can be generated using this creatively-named script. In Part 1 we retrieved NTDS and in Part 2 we organised it using hash-organiser. We are now ready to move to the next part of the process: recovering hashes. Extract NTDS → Clean/Organise NTDS → Crack hashes → Generate stats. “Cracking hashes” sounds a bit abstract, so let’s try narrowing it down. At this stage, the goal is not to crack as many hashes as possible just because, but to identify weak passwords and patterns that represent real risk to the domain. ...

Introduction In Part 1, we talked about how we can extract credentials from NTDS using DCSync and VSS. Now, it is time to think about how to best handle the NTDS file. Extracting NTDS is typically the last step in a CTF, but it is just the first one here: Extract NTDS → Clean/Organise NTDS → Crack hashes → Generate stats. The good news is that this part is technically much simpler; no need to talk about weird acronyms, protocols, and methods. We just need to decide what we actually need from NTDS and extract it. ...

Introduction Although there are a few CAPE-related articles and videos out there, some can make the exam look scarier and more complicated than it actually is; they certainly had that effect for me! For instance, my biggest concern after reading them was evasion, as this is one of my weakest areas. In addition to that, I am working from a laptop with fairly limited resources, and let’s just say that installing Visual Studio and compiling stuff on it is not ideal. ...

Introduction This article is about pentesting, not red teaming. We are given a DA account to extract NTDS, we don’t need to be stealthy or anything of that sort. Therefore, OPSEC considerations out of scope. I recently went from just testing (close-to-zero-functionality) web apps and APIs to doing more varied stuff, including internal assessments. An internal test consists of many different parts, one of which is assessing the passwords used within the domain (what we call a password audit). ...