01-03-2020, 04:38 PM
(01-03-2020, 09:43 AM)DanielG Wrote: I don't get what your goal is here, any domain admin can change the password of the account so that is your best option.
You don't need to crack the NTLM hash for most other 'less-ethical' use cases (using pass-the-hash attack). The NTLM hash can be used to do a lot of things (for example authenticate on those devices).
Anyway, if you have the current NTLM hash and want to change the password on the AD (and for some reason you are not an admin) use this:
https://blog.stealthbits.com/manipulatin...ChangeNTLM
You can use mimikatz to run the command lsadump::changentlm /server:that.ad.server.of.yours /user:co-worker /old:extracted.ntlm.from.ntds.dit /newpassword:TurboMatt from any connected computer (you can also do the same with DSInternals you already used).
But again, this is a weird story considering any administrator can change the account password.
I can absolutely understand you questioning the details. Lets assume there are 100 devices configured with LDAP authentication. All using the same service/user account for the LDAP bind aspect. That account had it's password changed by another admin. Half of the devices we were able to get onto to change the LDAP authentication configuration with the new password. The other half we don't have physical access (another location) nor do we have the local admin credentials. They were domain authentication only and now that they are trying to LDAP bind with the old password, they obviously won't authenticate.
My thinking was to crack the old NTLM hash, key it into AD then quickly authenticate to the devices we are locked out of and reset the local account passwords. At that point, we would have local account access and would be able to correct the LDAP authentication on all the devices and within AD. As a note, I have no idea why this was initially configured this way but it's the mess I have to figure out now.
I will look into the injection command you posted. From what I can tell, it will not allow me to reuse the old hash completely?