Windows Lateral Movement Techniques
Pass the Hash (PtH) - Teorie
As discussed in the previous sections, the attacker must have administrative privileges or particular privileges on the target machine to obtain a password hash. Hashes can be obtained in several ways, including:
Dumping the local SAM database from a compromised host.
Extracting hashes from the NTDS database (ntds.dit) on a Domain Controller.
Pulling the hashes from memory (lsass.exe).
Pass the Hash with Mimikatz (Windows)
The first tool we will use to perform a Pass the Hash attack is Mimikatz. Mimikatz has a module named sekurlsa::pth that allows us to perform a Pass the Hash attack by starting a process using the hash of the user's password. To use this module, we will need the following:
/user- The user name we want to impersonate./rc4or/NTLM- NTLM hash of the user's password./domain- Domain the user to impersonate belongs to. In the case of a local user account, we can use the computer name, localhost, or a dot (.)./run- The program we want to run with the user's context (if not specified, it will launch cmd.exe).
Pass the Hash from Windows Using Mimikatz
c:\tools> mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe" exit
user : julio
domain : inlanefreight.htb
program : cmd.exe
impers. : no
NTLM : 64F12CDDAA88057E06A81B54E73B949B
| PID 8404
| TID 4268
| LSA Process was already R/W
| LUID 0 ; 5218172 (00000000:004f9f7c)
\_ msv1_0 - data copy @ 0000028FC91AB510 : OK !
\_ kerberos - data copy @ 0000028FC964F288
\_ des_cbc_md4 -> null
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ *Password replace @ 0000028FC9673AE8 (32) -> nullNow we can use cmd.exe to execute commands in the user's context. For this example, julio can connect to a shared folder named julio on the DC.
Pass the Hash with PowerShell Invoke-TheHash (Windows)
For this example we will use the user julio and the hash 64F12CDDAA88057E06A81B54E73B949B.
When using Invoke-TheHash, we have two options: SMB or WMI command execution. To use this tool, we need to specify the following parameters to execute commands in the target computer:
Target- Hostname or IP address of the target.Username- Username to use for authentication.Domain- Domain to use for authentication. This parameter is unnecessary with local accounts or when using the @domain after the username.Hash- NTLM password hash for authentication. This function will accept either LM:NTLM or NTLM format.Command- Command to execute on the target. If a command is not specified, the function will check to see if the username and hash have access to WMI on the target.
Invoke-TheHash with SMB
We can also get a reverse shell connection in the target machine. If you are unfamiliar with reverse shells, review the Shells & Payloads module on HTB Academy.
To get a reverse shell, we need to start our listener using Netcat on our Windows machine, which has the IP address 172.16.1.5. We will use port 8001 to wait for the connection.
Netcat listener
To create a simple reverse shell using PowerShell, we can visit revshells.com, set our IP 172.16.1.5 and port 8001, and select the option PowerShell #3 (Base64), as shown in the following image.
Now we can execute Invoke-TheHash to execute our PowerShell reverse shell script in the target computer. Notice that instead of providing the IP address, which is 172.16.1.10, we will use the machine name DC01 (either would work)
Invoke-TheHash with WMI
The result is a reverse shell connection from the DC01 host (172.16.1.10).
Pass the Hash with Impacket (Linux)
Impacket has several tools we can use for different operations such as Command Execution and Credential Dumping, Enumeration, etc. For this example, we will perform command execution on the target machine using PsExec.
Pass the Hash with Impacket PsExec
There are several other tools in the Impacket toolkit we can use for command execution using Pass the Hash attacks, such as:
Pass the Hash with NetExec (Linux)
NetExec is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. We can use NetExec to try to authenticate to some or all hosts in a network looking for one host where we can authenticate successfully as a local admin. This method is also called "Password Spraying" and is covered in-depth in the Active Directory Enumeration & Attacks module. Note that this method can lock out domain accounts, so keep the target domain's account lockout policy in mind and make sure to use the local account method, which will try just one login attempt on a host in a given range using the credentials provided if that is your intent.
If we want to perform the same actions but attempt to authenticate to each host in a subnet using the local administrator password hash, we could add --local-auth to our command. This method is helpful if we obtain a local administrator hash by dumping the local SAM database on one host and want to check how many (if any) other hosts we can access due to local admin password re-use. If we see Pwn3d!, it means that the user is a local administrator on the target computer. We can use the option -x to execute commands. It is common to see password reuse against many hosts in the same subnet. Organizations will often use gold images with the same local admin password or set this password the same across multiple hosts for ease of administration. If we run into this issue on a real-world engagement, a great recommendation for the customer is to implement the Local Administrator Password Solution (LAPS), which randomizes the local administrator password and can be configured to have it rotate on a fixed interval.
NetExec - Command Execution
Review the NetExec documentation Wiki to learn more about the tool's extensive features.
Pass the Hash with evil-winrm (Linux)
Evil-WinRM is another tool we can use to authenticate using the Pass the Hash attack with PowerShell remoting. If SMB is blocked or we don't have administrative rights, we can use this alternative protocol to connect to the target machine.
Pass the Hash with evil-winrm
Note: When using a domain account, we need to include the domain name, for example: administrator@inlanefreight.htb
Pass the Hash with RDP (Linux)
We can perform an RDP PtH attack to gain GUI access to the target system using tools like xfreerdp.
There are a few caveats to this attack:
Restricted Admin Mode, which is disabled by default, should be enabled on the target host; otherwise, you will be presented with the following error:
This can be enabled by adding a new registry key DisableRestrictedAdmin (REG_DWORD) under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa with the value of 0. It can be done using the following command:
Enable Restricted Admin Mode to allow PtH
Once the registry key is added, we can use xfreerdp with the option /pth to gain RDP access:
Pass the Hash using RDP
Lab - Questions
Authenticate to 10.129.63.49 (ACADEMY-PWATTACKS-LM-MS01) with user "Administrator" and password "30B3783CE2ABF1AF70F77D0660CF3453"
Access the target machine using any Pass-the-Hash tool. Submit the contents of the file located at C:\pth.txt.
Fristly, I confirm that the user is an administrator, and before, confirm that i can connect it RDP -->
Once we confim that it credentials is valid, procress to connect via RDP -->
FUCK! We need change the restrictived admin permisions, so... use netexec to execute this command -->
And now... try to connect again. Once we connect to the machine, search the pth.txt file -->
Try to connect via RDP using the Administrator hash. What is the name of the registry value that must be set to 0 for PTH over RDP to work? Change the registry key value and connect using the hash with RDP. Submit the name of the registry value name as the answer.
DisableRestrictedAdmin
Connect via RDP and use Mimikatz located in c:\tools to extract the hashes presented in the current session. What is the NTLM/RC4 hash of David's account?
For it, we need get the password or hash about david user, so... try to get lsa and obtain the password in texplain.
Now, with the adminitrador, use mimikat for get the ntlm/RC4 hash of david
Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt.
And then, in the cmd search the folder -->
Using Julio's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\julio and read the file julio.txt
Make the same of the before question, get the ntlm about julio user and get a cmd -->
Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.
Iโll open two powershells as Administrator: one will run Invoke-TheHash and the other one will run Netcat:
First command prompt:
Second command prompt:
To get the execution command, Iโll use https://www.revshells.com/
Last updated