Key Role of Windows Credentials Editor v1.2 (WCE) in the Penetration Process

Yesterday, during the t3n chat, The t3n talked about Windows Credentials Editor v1.2 (WCE), which not only captures HASH, but also injects HASH attacks and promotes them to domain administrator privileges.
The parameters are as follows:
-L List logon sessions and NTLM credentials (default ).
-S Changes NTLM credentials of current logon session.
Parameters: <UserName >:< DomainName >:< LMHash >:< NTHash>.
-R Lists logon sessions and NTLM credentials indefinitely.
Refreshes every 5 seconds if new sessions are found.
Optional:-r <refresh interval>.
-C Run <cmd> in a new session with the specified NTLM credentials.
Parameters: <cmd>.
-E Lists logon sessions NTLM credentials indefinitely.
Refreshes every time a logon event occurs.
-O saves all output to a file.
Parameters: <filename>.
-I Specify LUID instead of use current logon session.
Parameters: <luid>.
-D Delete NTLM credentials from logon session.
Parameters: <luid>.
-V verbose output.
Test now, log on to the server, download WCE, and run the command: wce-l to list the user HASH that has been logged on.

Here, we will explain that the domain or computer name is between each username: Number and HASH: number in the figure, and the domain name of "region" is "BIGTH. The computer name is BKKWEB01, indicating the name of the computer.
Users corresponding to BKKWEB01 are local users who do not have domain permissions. BIGTH is a domain user who can log on to any host in the domain.
After obtaining the HASH of the domain user, we used a tool to crack the rainbow table. in about one minute, the password came out. Log on to the domain control host and use FTP to transmit the WCE software.

Then WCE-l is used to obtain the HASH of the domain control administrator.

Use AD to check whether there are 349 hosts in this domain. If you want to HOLD the hosts, all hosts will be held...

Please forgive me for the mistakes and omissions...

This article is from "Vic"