Lateral movements

Expired password renewal

Expired password of local or domain accounts can be renewed over SMB (MSRPC-SAMR) using impacket's smbpasswd.py Python script. smbpasswd.py supports authentication using an account NTLM hash.

smbpasswd.py [-newpass '<NEW_PASSWORD>'] <USERNAME>[:<CURRENT_PASSWORD>]@<HOSTNAME | IP>
smbpasswd.py [-newpass '<NEW_PASSWORD>'] -hashes <CURRENT_NT_HASH> <USERNAME>@<HOSTNAME | IP>

The account's previous password can be restored using mimikatz's lsadump::changentlm function with only the knowledge of the previous NTLM hash. Note that the minimum password age policy setting may prevent an immediate password restoration.

mimikatz # privilege::debug
mimikatz # lsadump::changentlm /server:<DC_FQDN | HOSTNAME> /user:<USERNAME> [/oldpassword:<CURRENT_PASSWORD> | /old:<CURRENT_NT_HASH>] [/newpassword:<NEW_PASSWORD> | /new:<NEW_NT_HASH>]

Lateral movements overview

Multiples techniques can be used to access computers remotely:

Technique / Service Port Required privileges Pass-the-Hash?

Technique / Service	Port	Required privileges	Pass-the-Hash?
`PsExec`	`SMB`: TCP Port 445 or `SMB` over `NetBIOS`: TCP port 139	If `User Account Control (UAC)` is disabled (`EnableLUA` set to `0x0`): Any local and domain accounts members of the local `Administrators` group If `UAC` is enabled (`EnableLUA` set to `0x1`) in default configuration (standard since `Windows Vista` / `Windows Server 2008`): Local built-in `Administrator` (RID: `500`) Domain accounts members of the local `Administrators` group (SID: `S-1-5-32-544`) If `UAC` remote restrictions are disabled (`LocalAccountTokenFilterPolicy` set to `0x1`): Any local (and domain) accounts members of the local `Administrators` group If `UAC` is enforced for the local built-in `Administrator` account `RID` 500 (`FilterAdministratorToken` set to `0x1`): Only domain accounts members of the local `Administrators` group	Network logon -> Yes
`Remote Desktop Protocol (RDP)`	`Terminal Services` TCP port 3389	Any local and domain accounts members of the local `Administrators` (SID: `S-1-5-32-544`) or `Remote Desktop Users` (SID: `S-1-5-32-555`) groups	Yes, if `Restricted Admin` mode is enabled server-side
`Windows Management Instrumentation (WMI)`	`RPC` TCP port 135 `RPC` randomly allocated high TCP ports: - TCP ports 1024 - 5000 (<= Windows 2003R2) - TCP ports 49152 - 65535	Similar privileges to `PsExec`	Network logon -> Yes
`Windows Remote Management (WinRM)`	`WinRM 1.1 and earlier`: `HTTP` port 80 or `HTTPS` port 443 `WinRM 2.0`: `HTTP` port 5985 or `HTTPS` port 5986	Similar privileges to `PsExec` with the addition of membership to the `Remote Management Users` (SID: `S-1-5-32-580`) group	Network logon -> Yes
`Distributed Component Object Model (DCOM)`	Same TCP ports as `WMI`	Similar privileges to `PsExec` with the addition of membership to the `Distributed COM Users` (SID: `S-1-5-32-562`) group depanding on the target host configuration	Network logon -> Yes
Remote Windows services	TCP port 445	Similar privileges to `PsExec`	Network logon -> Yes
Remote scheduled tasks	TCP port 445	Similar privileges to `PsExec`	Network logon -> Yes
Third parties remote administration IT tools	`AnyDesk`: TCP port 7070 `TeamViewer`: TCP / UDP ports 5938 ...	Technology dependent	Likely not

PsExec

SMB: TCP Port 445 or SMB over NetBIOS: TCP port 139

If User Account Control (UAC) is disabled (EnableLUA set to 0x0): Any local and domain accounts members of the local Administrators group If UAC is enabled (EnableLUA set to 0x1) in default configuration (standard since Windows Vista / Windows Server 2008): Local built-in Administrator (RID: 500) Domain accounts members of the local Administrators group (SID: S-1-5-32-544) If UAC remote restrictions are disabled (LocalAccountTokenFilterPolicy set to 0x1): Any local (and domain) accounts members of the local Administrators group If UAC is enforced for the local built-in Administrator account RID 500 (FilterAdministratorToken set to 0x1): Only domain accounts members of the local Administrators group

Network logon -> Yes

Remote Desktop Protocol (RDP)

Terminal Services TCP port 3389

Any local and domain accounts members of the local Administrators (SID: S-1-5-32-544) or Remote Desktop Users (SID: S-1-5-32-555) groups

Yes, if Restricted Admin mode is enabled server-side

Windows Management Instrumentation (WMI)

RPC TCP port 135 RPC randomly allocated high TCP ports: - TCP ports 1024 - 5000 (<= Windows 2003R2) - TCP ports 49152 - 65535

Similar privileges to PsExec

Network logon -> Yes

Windows Remote Management (WinRM)

WinRM 1.1 and earlier: HTTP port 80 or HTTPS port 443 WinRM 2.0: HTTP port 5985 or HTTPS port 5986

Similar privileges to PsExec with the addition of membership to the Remote Management Users (SID: S-1-5-32-580) group

Network logon -> Yes

Distributed Component Object Model (DCOM)

Same TCP ports as WMI

Similar privileges to PsExec with the addition of membership to the Distributed COM Users (SID: S-1-5-32-562) group depanding on the target host configuration

Network logon -> Yes

Remote Windows services

TCP port 445

Similar privileges to PsExec

Network logon -> Yes

Remote scheduled tasks

TCP port 445

Similar privileges to PsExec

Network logon -> Yes

Third parties remote administration IT tools

AnyDesk: TCP port 7070 TeamViewer: TCP / UDP ports 5938 ...

Technology dependent

Likely not

To quickly identity which servers or workstations in the domain are exposing one of the service above from your network standpoint, AD queries and nmap can be used in combination (refer to the [Active Directory] Methodology - Domain Recon note).

Note that the Impacket Python scripts presented below are available as static stand-alone binaries for both Windows and Linux x64 operating systems on the following GitHub repository:

https://github.com/Qazeer/OffensivePythonPipeline

https://github.com/ropnop/impacket_static_binaries

For the forensics artefacts induced by the different lateral movement technics refer to the [DFIR] Windows - Analysis - Lateral movement note.

References

https://ss64.com/nt/sc.html

https://support.microsoft.com/en-us/help/251192/how-to-create-a-windows-service-by-using-sc-exe

https://posts.specterops.io/offensive-lateral-movement-1744ae62b14f

https://www.contextis.com/en/blog/lateral-movement-a-deep-look-into-psexec

https://docs.microsoft.com/fr-fr/windows/win32/winrm/portal

https://docs.microsoft.com/fr-fr/windows/win32/wmisdk/wmi-start-page

https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf

https://blog.cobaltstrike.com/2017/05/23/cobalt-strike-3-8-whos-your-daddy/

https://blog.cobaltstrike.com/2015/12/16/windows-access-tokens-and-alternate-credentials/

https://blog.cobaltstrike.com/2015/05/21/how-to-pass-the-hash-with-mimikatz/

https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens

http://woshub.com/powershell-remoting-via-winrm-for-non-admin-users/

https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/

https://www.cybereason.com/blog/dcom-lateral-movement-techniques

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b0

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/ba4c4d80-ef81-49b4-848f-9714d72b5c01

https://blog.varonis.fr/dcom-technologie-distributed-component-object-model/

https://gallery.technet.microsoft.com/scriptcenter/89a5e3c2-0a1c-4471-b78c-136606cafdfb

https://blog.f-secure.com/endpoint-detection-of-remote-service-creation-and-psexec/

Applied Incident Response, Steve Anson

https://docs.microsoft.com/en-us/windows/win32/api/lmshare/nf-lmshare-netshareadd

https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/

Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf

PreviousLocal persistence NextLocal credentials re-use

Last updated 2 years ago