📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • Win Attack LAB: Lateral Movement with Pass the hash
  • 1. Introduction
  • 2. Pass the hash
  • 3. Questions
  • 4. Answers

Was this helpful?

  1. Windows Hacking
  2. WinAttack LAB

Module 05

PreviousModule 04NextModule 06

Last updated 3 years ago

Was this helpful?

Win Attack LAB: Lateral Movement with Pass the hash

1. Introduction

In the previous exercises, we were able to gain local administrative privileges on the Windows 10 client and subsequently dump all credentials stored on this machine. The collected data contained - amongst others - the NTLM hash of the domain user "aalfort", who is local admin to the machine FS1.winattacklab.local.

There are multiple tools that can perform pass-the-hash attacks, both for Windows and Linux. In our case, we are going to use a python implementation which is part of the Impacket collection, called "psexec.py".

This tool is already pre-installed in /usr/local/bin/ on your Linux attack host within the Windows attack lab. It is also included in the path variable, which means you can simply type psexec.py in the terminal to run the program:

psexec.py

2. Pass the hash

With the collected hash from the previous exercise we can now perform the pass-the-hash attack to connect to FS1.winattacklab.local as user aalfort:

psexec.py -hashes :9859340265d3b3c1eb628ece70ebc238 winattacklab.local/aalfort@10.0.1.101

You might expect to see aalfort here, but instead it says we are running as nt authority\system. In this case, psexec.py automatically upgraded our shell to the highest-possible privileges you can have on a Windows system.

We now have successfully moved to the host FS1.winattacklab.local as user aalfort, who is local admin on this machine. This means we have full control over it and can therefore mark it as "owned" in Bloodhound:

Don't forget to check for possible paths to the domain admins, given the updated situation.

3. Questions

  1. Where did you get the NTLM hash of user Aalfort from?

  2. How does psexec execute your commands on the remote machine (under-the-hood)?

  3. How does psexec authenticate against the remote machine?

  4. Why can Impacket’s psexec.py elevate the remote process and get System without UAC prompt?

  5. Does PsExec pass the hash?

  6. What is the next logical step in your attack?

4. Answers

  1. Because Aalfort has a active session on CLIENT1 we could dump the NTLM hash from there (LSASS on CLIENT1).

  2. PSExec has a Windows Service image inside of its executable. It takes this service and deploys it to the Admin$ share on the remote machine. It then uses the DCE/RPC interface over SMB to access the Windows Service Control Manager API. It turns on the PSExec service on the remote machine. The PSExec service then creates a named pipe that can be used to send commands to the system.

  3. The Admin$ share must be available and accessible. It is a hidden SMB share that maps to the Windows directory is intended for software deployments. The credentials supplied to the PSExec utility must have permissions to access the Admin$ share. These requirements are given through:

  • Executed with Aalfort NTLM hash (Aalfort is in FS1ADMINS)

4. PSexec.py creates first a system service. With this service the uploaded executable is executed without UAC

5. If this question is related to PSexec.py then the PTH was successful.

6. Perform an analsysis (stored user/passwords, files, credential dumping) on FS1 and verify if there exist further users with domain admin rights. Requirements:

  • PTH to FS1

  • tools available on FS1

Challanges:

  • copy the tools(Mimikatz or PowerSploit) to FS1