Skip to content

Lab 04 — Credential Theft & Pass-the-Hash

Hands-on lab · ← Back to the module concept

Setup

git clone https://github.com/plaintext-security/plaintext-labs
cd plaintext-labs/active-directory/04-credential-theft
make up      # start Samba4 DC + attacker container
make demo    # run secretsdump + pass-the-hash demo
make shell   # interactive shell
make down

Authorization: this app is yours — attack it freely. The habit still matters everywhere else: only test systems you own or have explicit written permission to test (DVWA, PortSwigger Academy, targets you own).

Scenario

You have cracked svc-mssql's password from module 03 (or use jsmith:Welcome1! as your initial credential). Your goal: extract all NTLM hashes from the Corp domain and demonstrate that the Administrator NT hash allows interactive access to the DC without knowing the plaintext password.

Do

  1. [ ] Secretsdump the DC. Using a domain-admin credential, dump every domain credential. Read the output format and record the NT hash for Administrator, jsmith, and krbtgt.

  2. [ ] DCSync a single account. Pull just Administrator's hash by asking the DC to replicate it, rather than touching NTDS.dit. Which replication protocol does this ride on, and which event (and object GUID) would a defender watch for? Answer in your notes.

  3. [ ] Pass the hash with psexec. Take the Administrator NT hash from step 1 and authenticate to the DC with the hash alone — no plaintext. Confirm your privilege level on the resulting shell.

  4. [ ] Try smbexec for comparison. Get execution on the DC the same way but via smbexec. How does the shell quality differ from psexec, and how do the on-disk / service artefacts each technique leaves differ?

  5. [ ] Understand the hash chain. Draw the path: jsmith (foothold) → Kerberoast svc-mssql → crack → … → tallen (DA) → secretsdump DC → Administrator NT hash → PTH to DC SYSTEM. How many distinct credentials were involved, and how many were cracked vs replayed?

  6. [ ] Identify LAPS gaps. In data/corp-domain.md, LAPS covers IT computers but not Finance or HR workstations. What does cracking one Finance workstation's local admin password get an attacker, given that gap?

Success criteria — you're done when

  • [ ] You have extracted the NT hash for Administrator from the DC via secretsdump.
  • [ ] You have obtained a shell on the DC via pass-the-hash (psexec or smbexec).
  • [ ] You can name the Windows Event IDs generated by secretsdump (DCSync) and by psexec PTH.
  • [ ] You can explain when PTH fails (Kerberos-only environments, Protected Users group).

Deliverables

credential-theft-report.md — the credential extraction chain (no actual hashes — redact to first 8 chars), the PTH demonstration outcome, the event IDs generated, and your notes on what would have stopped each step. Commit it.

Automate & own it

Required. Write hash-chain.sh — a shell script that runs the secretsdump and psexec steps in sequence, capturing the output to a findings file. Have a model draft the script; you audit every command and add error handling (what should happen if the DC is unreachable? if the hash is wrong?). This simulates the automation an attacker would use to move quickly once they have domain admin. Commit it alongside your report.

AI acceleration

Paste the secretsdump output (with hashes redacted) into a model and ask it to identify the highest-risk accounts based on group membership and hash age. The model is good at parsing the output format — but verify its group membership claims against the LDAP output from module 02, since it can hallucinate AD membership.

Connects forward

The krbtgt hash you extracted is used to forge golden tickets in module 07. The detection patterns (Event 4662 for DCSync, Event 4624 Logon Type 3 for PTH) appear in the Sigma rules in module 09. The architectural fix (Credential Guard, tiered admin model) is covered in modules 10 and 11.

Marketable proof

"I extract and replay NTLM credentials across an Active Directory environment using impacket — secretsdump, DCSync, pass-the-hash — and map each step to the Windows event log artefacts that detection engineering needs."

Stretch

  • Research pass-the-ticket (T1550.003) — how does it differ from PTH? Use ticketer.py from impacket to create a ticket from the krbtgt hash you extracted (you'll use this again in module 07).
  • Look up how Credential Guard (virtualisation-based security) prevents LSASS dump. What credential types does it protect? What does it not protect (hint: Kerberos tickets, NTLM challenges, DPAPI keys)?

Comments

Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).