Key Role of Windows Credentials Editor v1.2 (WCE) in the Penetration Process

Source: Internet
Author: User

Yesterday, during the t3n chat, The t3n talked about Windows Credentials Editor v1.2 (WCE), which not only captures HASH, but also injects HASH attacks and promotes them to domain administrator privileges.
The parameters are as follows:
-L List logon sessions and NTLM credentials (default ).
-S Changes NTLM credentials of current logon session.
Parameters: <UserName >:< DomainName >:< LMHash >:< NTHash>.
-R Lists logon sessions and NTLM credentials indefinitely.
Refreshes every 5 seconds if new sessions are found.
Optional:-r <refresh interval>.
-C Run <cmd> in a new session with the specified NTLM credentials.
Parameters: <cmd>.
-E Lists logon sessions NTLM credentials indefinitely.
Refreshes every time a logon event occurs.
-O saves all output to a file.
Parameters: <filename>.
-I Specify LUID instead of use current logon session.
Parameters: <luid>.
-D Delete NTLM credentials from logon session.
Parameters: <luid>.
-V verbose output.
Test now, log on to the server, download WCE, and run the command: wce-l to list the user HASH that has been logged on.

Here, we will explain that the domain or computer name is between each username: Number and HASH: number in the figure, and the domain name of "region" is "BIGTH. The computer name is BKKWEB01, indicating the name of the computer.
Users corresponding to BKKWEB01 are local users who do not have domain permissions. BIGTH is a domain user who can log on to any host in the domain.
After obtaining the HASH of the domain user, we used a tool to crack the rainbow table. in about one minute, the password came out. Log on to the domain control host and use FTP to transmit the WCE software.

Then WCE-l is used to obtain the HASH of the domain control administrator.

Use AD to check whether there are 349 hosts in this domain. If you want to HOLD the hosts, all hosts will be held...

Please forgive me for the mistakes and omissions...

This article is from "Vic"

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.