Module 05

Win Attack LAB: Lateral Movement with Pass the hash

1. Introduction

In the previous exercises, we were able to gain local administrative privileges on the Windows 10 client and subsequently dump all credentials stored on this machine. The collected data contained - amongst others - the NTLM hash of the domain user "aalfort", who is local admin to the machine FS1.winattacklab.local.

There are multiple tools that can perform pass-the-hash attacks, both for Windows and Linux. In our case, we are going to use a python implementation which is part of the Impacket collection, called "psexec.py".

This tool is already pre-installed in /usr/local/bin/ on your Linux attack host within the Windows attack lab. It is also included in the path variable, which means you can simply type psexec.py in the terminal to run the program:

psexec.py

2. Pass the hash

With the collected hash from the previous exercise we can now perform the pass-the-hash attack to connect to FS1.winattacklab.local as user aalfort:

psexec.py -hashes :9859340265d3b3c1eb628ece70ebc238 winattacklab.local/aalfort@10.0.1.101

You might expect to see aalfort here, but instead it says we are running as nt authority\system. In this case, psexec.py automatically upgraded our shell to the highest-possible privileges you can have on a Windows system.

We now have successfully moved to the host FS1.winattacklab.local as user aalfort, who is local admin on this machine. This means we have full control over it and can therefore mark it as "owned" in Bloodhound:

Don't forget to check for possible paths to the domain admins, given the updated situation.

3. Questions

1. Where did you get the NTLM hash of user Aalfort from?

2. How does psexec execute your commands on the remote machine (under-the-hood)?

3. How does psexec authenticate against the remote machine?

4. Why can Impacket’s psexec.py elevate the remote process and get System without UAC prompt?

5. Does PsExec pass the hash?

6. What is the next logical step in your attack?

4. Answers

1. Because Aalfort has a active session on CLIENT1 we could dump the NTLM hash from there (LSASS on CLIENT1).

2. PSExec has a Windows Service image inside of its executable. It takes this service and deploys it to the Admin$ share on the remote machine. It then uses the DCE/RPC interface over SMB to access the Windows Service Control Manager API. It turns on the PSExec service on the remote machine. The PSExec service then creates a named pipe that can be used to send commands to the system.

3. The Admin$ share must be available and accessible. It is a hidden SMB share that maps to the Windows directory is intended for software deployments. The credentials supplied to the PSExec utility must have permissions to access the Admin$ share. These requirements are given through:

• Executed with Aalfort NTLM hash (Aalfort is in FS1ADMINS)

4. PSexec.py creates first a system service. With this service the uploaded executable is executed without UAC

5. If this question is related to PSexec.py then the PTH was successful.

6. Perform an analsysis (stored user/passwords, files, credential dumping) on FS1 and verify if there exist further users with domain admin rights. Requirements:

• PTH to FS1

• tools available on FS1

Challanges:

• copy the tools(Mimikatz or PowerSploit) to FS1