📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • Win Attack LAB: Lateral movement to WS1
  • 1. Introduction
  • 2. Using psexec.py
  • 3. Using smbclinet.py
  • 4. Update Bloodhound
  • 5. Optional Credentials verification
  • 6. Questions
  • 7. Answers

Was this helpful?

  1. Windows Hacking
  2. WinAttack LAB

Module 08

PreviousModule 07NextModule 09

Last updated 3 years ago

Was this helpful?

Win Attack LAB: Lateral movement to WS1

1. Introduction

In this challenge we abuse the previously recovered credentials to move laterally through the network to the host WS1.

2. Using psexec.py

Previously, we already used the tool psexec.py from the Impacket collection to move laterally by performing a pass-the-hash attack.

We can now use the same tool but instead provide the cleartext credentials to connect to WS1 (IP 10.0.1.103).

Type the following command on your Linux attack host:

psexec.py winattacklab.local/cclear:Winter2019@10.0.1.103

3. Using smbclinet.py

A better method to verify the credentials we found on WS1 would be to use a less "intrusive" technique, such as the SMB protocol, specifically the tool smbclient.py of the Impacket collection.

To do this, run smbclient.py from your Linux attack host:

smbclient.py 'winattacklab.local/cclear:Winter2019@10.0.1.103'

As this mimicks a regular SMB connection, nothing unusual will pop up on WS1, and the goal to verify the credentials is still achieved!

4. Update Bloodhound

Search for the object "WS1@WINATTACKLAB.LOCAL" in Bloodhound and mark it as "owned":

In the previous challenge we already discovered an attack path, which might lead us to a domain admin. If we check this again, we can now see that we actually progressed along this path (Query Shortest Paths to Domain Admins from Owned Principals):

5. Optional Credentials verification

A very powerful tool to perform credential verification against one or more targets is CrackMapExec.

This tool allows you to easily test (multiple sets of) credentials against a single host, target lists, IP ranges or even whole subnets. It supports multiple protocols such as SSH, SMB, WINRM, LDAP etc. Furthermore, it can also automatically run commands on systems, where a successful login has been detected.

For now, we will simply focus on credential verification however. CrackMapExec is already pre-installed on your machine and can be started by typing crackmapexec on your Linux Attack Host.

To verify the credentials of cclear we can execute the command below against the domain controller:

crackmapexec smb 10.0.1.100 -u cclear -d winattacklab.local -p Winter2019

As already mentioned, CrackMapExec can also be used to test a login against multiple systems. For our setup, we can test against all machines in our subnet with the following command:

crackmapexec smb 10.0.1.0/24 -u cclear -d winattacklab.local -p Winter2019

Note: As we are testing with a domain account, we should get a valid verification for all domain-joined systems. However, as you can see in the output below, one entry is additionally marked with (Pwn3d!):

This indicates that our provided user has local administrative privileges on that system!

6. Questions

  1. Why is the lateral movement technique with psexec easily detected?

  2. Does a psexec alert always indicate bad behavior?

  3. Why is smb access via smbclient.py not detected?

  4. What is the next step to become domain admin?

7. Answers

  1. There are some activities which can be detected to identify the psexec:

  • PsExec activity always involves remote service creation.

  • configurable service names and pipes

  • Multiple Logon and Special Logon Event ID’s generated in Windows Security logs.

  • Event ID 7045 will contain the name of the executable uploaded by psexec.py and the running service that was started.

2. No, psexec and also some other tools(SysInternals, etc.) are used for operations and management tasks too. For the detection it should also considered other events/indicators.

3. The performed SMB access is a legal action on a Windows system and is not considered malicious

4. With the access from CClear to WS1 and the session from FFAST on WS1 we should be able to gather the credentials from FFAST.