As part of part of a red team exercise, gaining foothold is key in our path to achieve AD control. In this post I will be talking about WPA2 Enterprise Networks, how PEAP works, why many deployed PEAP networks are insecure and how to take advantage of this to gain access and finally how to prevent it.
Leaking hashes is not something new, however it is still possible to do it mainly because it is a feature that is enabled by default. It is caused by a design flaw in Windows related to the user authentication. In order to achieve single sign-on implementation Windows will try to authenticate to each server with the user credentials in the form on NTLM hashes. In this post I will explain which types of NTLM hashes there are, which ones are used for pash-the-hash, how to relay hashes and some techniques to leak them.