Module 08

Win Attack LAB: Lateral movement to WS1

1. Introduction

In this challenge we abuse the previously recovered credentials to move laterally through the network to the host WS1.

2. Using psexec.py

Previously, we already used the tool psexec.py from the Impacket collection to move laterally by performing a pass-the-hash attack.

We can now use the same tool but instead provide the cleartext credentials to connect to WS1 (IP 10.0.1.103).

Type the following command on your Linux attack host:

psexec.py winattacklab.local/cclear:Winter2019@10.0.1.103

3. Using smbclinet.py

A better method to verify the credentials we found on WS1 would be to use a less "intrusive" technique, such as the SMB protocol, specifically the tool smbclient.py of the Impacket collection.

To do this, run smbclient.py from your Linux attack host:

smbclient.py 'winattacklab.local/cclear:Winter2019@10.0.1.103'

As this mimicks a regular SMB connection, nothing unusual will pop up on WS1, and the goal to verify the credentials is still achieved!

4. Update Bloodhound

Search for the object "WS1@WINATTACKLAB.LOCAL" in Bloodhound and mark it as "owned":

In the previous challenge we already discovered an attack path, which might lead us to a domain admin. If we check this again, we can now see that we actually progressed along this path (Query Shortest Paths to Domain Admins from Owned Principals):

5. Optional Credentials verification

A very powerful tool to perform credential verification against one or more targets is CrackMapExec.

This tool allows you to easily test (multiple sets of) credentials against a single host, target lists, IP ranges or even whole subnets. It supports multiple protocols such as SSH, SMB, WINRM, LDAP etc. Furthermore, it can also automatically run commands on systems, where a successful login has been detected.

For now, we will simply focus on credential verification however. CrackMapExec is already pre-installed on your machine and can be started by typing crackmapexec on your Linux Attack Host.

To verify the credentials of cclear we can execute the command below against the domain controller:

crackmapexec smb 10.0.1.100 -u cclear -d winattacklab.local -p Winter2019

As already mentioned, CrackMapExec can also be used to test a login against multiple systems. For our setup, we can test against all machines in our subnet with the following command:

crackmapexec smb 10.0.1.0/24 -u cclear -d winattacklab.local -p Winter2019

Note: As we are testing with a domain account, we should get a valid verification for all domain-joined systems. However, as you can see in the output below, one entry is additionally marked with (Pwn3d!):

This indicates that our provided user has local administrative privileges on that system!

6. Questions

1. Why is the lateral movement technique with psexec easily detected?

2. Does a psexec alert always indicate bad behavior?

3. Why is smb access via smbclient.py not detected?

4. What is the next step to become domain admin?

7. Answers

1. There are some activities which can be detected to identify the psexec:

• PsExec activity always involves remote service creation.

• configurable service names and pipes

• Multiple Logon and Special Logon Event ID’s generated in Windows Security logs.

• Event ID 7045 will contain the name of the executable uploaded by psexec.py and the running service that was started.

2. No, psexec and also some other tools(SysInternals, etc.) are used for operations and management tasks too. For the detection it should also considered other events/indicators.

3. The performed SMB access is a legal action on a Windows system and is not considered malicious

4. With the access from CClear to WS1 and the session from FFAST on WS1 we should be able to gather the credentials from FFAST.