Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2024
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

How Automated Penetration Testing Stops Credential-based Attacks Before Hackers Exploit Them

Sıla Özeren | December 20, 2024

The Red Report 2024

Defend Against the Top 10 MITRE ATT&CK TTPs

DOWNLOAD

Credential-based attacks are among the most effective techniques adversaries use to gain unauthorized access to networks. These attacks often exploit weak or misconfigured credentials, leading to privilege escalation and lateral movement across systems.

To proactively identify and address these risks, organizations are increasingly adopting automated penetration testing solutions to see their critical attack paths in their unique IT environment before they are identified by a sophisticated attacker. Tools like Picus Attack Path Validation (APV) emulate and simulate real-world adversarial behavior, simulating techniques like credential access attacks in a safe and non-destructive way and demonstrating how easily credentials can be compromised if unprotected.

In this blog, we’ll explore how Picus APV combines intelligent attack path mapping and automated pentesting to harvest credentials and perform offline password-cracking simulations to validate credential-related risks and how acquired credentials can be used laterally moved towards your domain admin accounts. By uncovering weaknesses before attackers can exploit them, Picus APV helps organizations strengthen defenses and mitigate potential breaches.

Watch the demonstration here👇

 

Understanding What Happens After Credential Harvesting: Offline Password Cracking and Its Risk

Password harvesting is a technique used by attackers to collect credentials, such as password hashes or plaintext passwords, through methods like phishing, malware, or abusing specific protocol vulnerabilities. Credential cracking, on the other hand, is the process of breaking into these harvested credentials to reveal the plaintext passwords. This combination of techniques represents a significant threat to organizations, as it can lead to unauthorized access, data breaches, and lateral movement within the network.

For the sake of this blog, we are going to focus on what happens after a credential harvesting technique called Kerberoasting. Kerberoasting is an attack that abuses a feature of the Kerberos authentication protocol, allowing attackers to extract password hashes for service accounts in Active Directory. These hashes can then be cracked offline to reveal the plaintext password, often leading to further network compromise.

The Lifecycle of Kerberoasting and Password Cracking

Attackers often follow a systematic flow: gaining initial access, conducting domain enumeration to identify targets, extracting ticket hashes via Kerberoasting, dumping credentials where possible, and ultimately cracking passwords. 

  • Domain Enumeration: Attackers perform domain enumeration to identify Service Principal Names (SPNs) associated with accounts in Active Directory. These SPNs can belong to either machine accounts or user accounts; however, attackers typically focus on user accounts because their passwords are often less complex than those of machine accounts. 

  • Kerberoasting: After identifying SPNs, attackers request Kerberos service tickets for these accounts. This process involves extracting the encrypted ticket data, which can later be cracked offline without alerting monitoring systems

  • Password Cracking: With the collected Kerberos ticket hashes, attackers employ password-cracking techniques, such as dictionary attacks or GPU-powered brute force, to derive plaintext passwords. Weak or easily guessable passwords are especially vulnerable during this phase.

Each step compounds the risk, enabling attackers to compromise sensitive systems, escalate privileges, and move laterally across the network. 

For a more detailed explanation, you can refer to Picus Security's blog post on Kerberoasting attacks. 

Picus Attack Path Validation: Mimicking Sophisticated and Stealthy Adversarial Behaviour 

Traditional automated penetration testing tools often employed a "spray and pray" approach. This meant they indiscriminately executed tests without regard for network strain or triggering defensive measures. Consequently, these tools failed to earn the trust of the market, as they lacked the precision and value offered by manual penetration testing engagements.

Picus Attack Path Validation (APV) has completely redefined this approach with its Picus Intelligent Adversary Decision Engine, powered by advanced AI technology. Unlike traditional tools, this engine emulates the strategic decision-making of a sophisticated adversary. At each stage of a mapped attack path, it identifies the stealthiest technique to progress to the next host, ensuring the simulation aligns with real-world attack scenarios.

To demonstrate its capabilities, we outline below how the platform conducts a comprehensive attack simulation:

Step-by-Step Case Study:

Running an Automated Pentesting Simulation with Picus APV

Step 1:

Choosing the Objective to Start the Assessment

Real-life adversaries always have an objective before starting their attack campaign. To mimic this and adopt the most realistic assumed-breach mindset, we start our process by defining the assessment objective—for instance, obtaining domain admin privileges.

For the sake of our assessment, we chose the domain admin objective. 

Our assessment is initiated with an initial access point, such as the workstation of the Ardis Cassie’s (WKSTN16.VALHALLA.CORP), and all available action modules are configured for the simulation. For instance, we can see the attack actions under the “Credential Access” category listed in the following figure. 

Step 2:

Information Gathering from the Target Domain

Picus APV collects data about the target domain. The platform identifies domain objects, enumerates user accounts, and maps relationships between endpoints. For example, during the initial domain enumeration, Picus APV discovers one server, one additional workstation (WKSTN26.VALHALLA.CORP), and four users, one of whom is a domain administrator.

Step 3:

Kerberoasting and Offline Password Cracking

During the early enumeration stages, Picus APV identified the Kerberoastable accounts: VALHALLA.CORP\DIANA.BIRD. 

Now that Picus APV has identified Diana Bird's user account as Kerberoastable, it leverages the Kerberoasting attack vector to acquire the encrypted service ticket associated with her account. The platform retrieves the hashed ticket of type krb5tgs and performs offline password cracking to uncover the plaintext password

As shown in the screenshot, portions of the plaintext password are visible.

So far, to recap what has happened: Picus APV initially gained access to Workstation 16 through the ardis.cassie user account as a starting point. Next, it performed stealthy domain enumeration to identify and list Kerberoastable users, revealing that diana.bird’s account was one of them. By executing a Kerberoasting attack and cracking the encrypted service ticket, Picus APV successfully obtained the plaintext password for diana.bird.
Step 4:

Privilege Escalation

As the user ardis.cassie, Picus APV executes a User Account Control (UAC) bypass technique on Workstation 16, elevating process integrity to enable privileged actions on the system. Elevated privileges are often necessary to execute advanced techniques such as credential access and lateral movement.

Step 5:

Session Enumeration & Lateral Movement

After privilege escalation is performed, the session enumeration is performed. The gathered information shows Picus APV that the user Diane Bird has administrative privileges on the system Workstation 26.

Remember that the plaintext password of Diana Bird was identified through offline password cracking, already.

Thus, the credential of the user Diane Bird was used to access the system Workstation 26.

Step 6:

Credential Dumping and Further Exploitation

During the Local Security Authority Subsystem Service (LSASS) credential dumping step, the MS-Cache hashed credential of the user Cicely Llewellyn was obtained.

Because the MS-Cache hashed credentials cannot be used directly for authentication, the offline password cracking feature cracked the hash to retrieve the plaintext form of the password (look at the figure below). 

By the way, MS-Cache hashes are used to store domain credentials for user authentication locally in case of domain inaccessibility.

Step 7:

Lateral Movement to a Server

One of the findings during the session enumeration steps was that the user Cicely Llewellyn has administrative privileges on the system Server 2: (SRV02.VALHALLA.CORP). 

Thus, the credential of the user Cicely Llewellyn was used to access the system SRV02. 

To gather as much as possible information related to users' privileges on different endpoints, Picus APV performs session enumerations after every new domain user's credentials are obtained.

Step 8:

Achieving the Objective with Picus APV

Upon laterally moving the system to Server02, the LSSAS Credential Dumping Technique revealed the NTLM hash of the user Derek Ortega, who has domain-level privileges in the target domain

Thus, assessment was concluded as successful due to achieving the objective. As seen, who has domain-level privileges in the target domain.

Key Takeaways from Credential-based Attacks with Picus Attack Path Validation

Building on the previous steps, the Picus APV simulation demonstrates how credential-based attacks unfold in a real-world scenario. In this section, we present an overview of the key takeaways from our automated pentesting simulation case study.

Key Takeaway 1:

Kerberoastable User Accounts Pose a Serious Threat

Remember how after successfully identifying Diana Bird's Kerberoastable account, the Picus APV extracted her encrypted service ticket and cracked it offline to reveal the plaintext password (Step 3). 

This plaintext password was then leveraged for lateral movement to another system (Step 5 - Workstation 26), showcasing how a single compromised credential can act as a gateway to further network exploitation.

Key Takeaway 2:

Credential Dumping Attacks Results in Successful Lateral Movements

The password for another user, Cicely Llewellyn, was subsequently obtained and cracked offline (Step 6). This revealed plaintext credentials, enabling lateral movement to another system (Step 7 - Server 02). 

Key Takeaway 3:

Your Domain Admin Accounts Are at Risk of Credential Harvesting

From there, the simulation culminated in successfully capturing the domain admin user by dumping the NTLM hash for Derek Ortega (Step 8), demonstrating how attackers can escalate privileges to compromise the entire domain.

As the ultimate goal of our automated pentesting simulation was to achieve access to a domain admin account, the assessment successfully concludes at this stage.

Mapping Attack Paths: Visualization and Insights

Picus APV creates a detailed attack path map that illustrates the relationships between systems, users, and attack techniques. This visual representation allows security teams to:

  • Trace the step-by-step actions taken during the simulation.
  • Identify weak points, such as misconfigured permissions or reused credentials.
  • Prioritize remediation efforts based on the most vulnerable areas.

Take Action Today

Credential harvesting and offline password cracking attacks are not just hypothetical—it’s happening right now. Picus APV equips your organization with the tools to identify, validate, and mitigate these threats before they lead to a breach.

Picus APV doesn’t just identify vulnerabilities; it validates their exploitability. By simulating real-world attack paths, it provides a clear view of how adversaries could exploit your environment. The offline password-cracking capability is particularly vital, as it demonstrates how quickly and efficiently credentials can be compromised if left unprotected.

Request a Demo or Watch the Full Demonstration to see how Picus APV empowers proactive defense strategies. 

 
automated penetration testing
Article How Automated Penetration Testing Stops Credential-based Attacks Before Hackers Exploit Them
Learn More
Attack Path Validation Picus Advances Automated Penetration Testing to Provide Comprehensive Adversarial Exposure Validation
Learn More
attack-path-validation
Article Dual Approach to Validation: Broad and Targeted Automated Penetration Testing
Learn More
Article Adversarial Exposure Validation Tools
Learn More
ctem
Article Uncovering Critical Defensive Gaps with Automated Penetration Testing Software
Learn More
Article How to Exploit Attack Paths Like an Advanced Attacker
Learn More
Article Why Do Organizations Need to Simulate Lateral Movement Attacks?
Learn More
lateral-movement-attacks
Article Lateral Movement Attacks 101
Learn More
attack-path-validation
Article What is Attack Path Validation & How Does It Help Reduce Risks?
Learn More