For this lab, you’ll need the environment from the last lab

• Windows Server (Windows Defender Disabled)
• Windows 10 client
• Kali Linux

What we know so far:

• Windows credentials are stored in a hashed format.
  • LM:NTLM format is common
• These hashes can be extracted in various ways from
  • lsass.exe
  • The SAM database
• Once a malicious user has access to an NTLM hash or an LM:NTLM hash, that information can be used as if the user had the plaintext password via a Pass-The-Hash attack.

Where we are headed:

• By default, in an Active Directory environment, when a user on one computer needs to access resources by logging in remotely to another computer, Windows will prefer to use the Kerberos Process
  • We’ll discuss this process in the next lab, not this one.
• If Kerberos is unavailable, by default, Windows will fall back to NTLMv2 authentication.

The purpose of this lab:

• Examine how NTLMv2 authentication is implemented and how it can be exploited by a user with Local Area Network access.

NETBIOS and the SMB protocol

• Windows nodes on a Local Area network all have names mapped to the device IP Address.
  • The process by which Windows computers discover the IP Address of another device on the network given a hostname is an essential component of Windows Authentication.
  • This is done through the LLMNR process.
    • LLMNR (Link-Local Multicast Name Resolution)

You must log into your Windows 10 client as the local Administrator.

• This will be the username you used when you first installed Windows
• If you are using an iCSI Windows image, it is the student user.

Select ‘Other User’ at the bottom of the login screen and preface your local administrative username with .\\ as seen below.