InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Expired password renewal
  • Lateral movements overview
  • References
  1. Windows

Lateral movements

Expired password renewal

Expired password of local or domain accounts can be renewed over SMB (MSRPC-SAMR) using impacket's smbpasswd.py Python script. smbpasswd.py supports authentication using an account NTLM hash.

smbpasswd.py [-newpass '<NEW_PASSWORD>'] <USERNAME>[:<CURRENT_PASSWORD>]@<HOSTNAME | IP>
smbpasswd.py [-newpass '<NEW_PASSWORD>'] -hashes <CURRENT_NT_HASH> <USERNAME>@<HOSTNAME | IP>

The account's previous password can be restored using mimikatz's lsadump::changentlm function with only the knowledge of the previous NTLM hash. Note that the minimum password age policy setting may prevent an immediate password restoration.

mimikatz # privilege::debug
mimikatz # lsadump::changentlm /server:<DC_FQDN | HOSTNAME> /user:<USERNAME> [/oldpassword:<CURRENT_PASSWORD> | /old:<CURRENT_NT_HASH>] [/newpassword:<NEW_PASSWORD> | /new:<NEW_NT_HASH>]

Lateral movements overview

Multiples techniques can be used to access computers remotely:

Technique / Service
Port
Required privileges
Pass-the-Hash?

PsExec

SMB: TCP Port 445 or SMB over NetBIOS: TCP port 139

If User Account Control (UAC) is disabled (EnableLUA set to 0x0): Any local and domain accounts members of the local Administrators group If UAC is enabled (EnableLUA set to 0x1) in default configuration (standard since Windows Vista / Windows Server 2008): Local built-in Administrator (RID: 500) Domain accounts members of the local Administrators group (SID: S-1-5-32-544) If UAC remote restrictions are disabled (LocalAccountTokenFilterPolicy set to 0x1): Any local (and domain) accounts members of the local Administrators group If UAC is enforced for the local built-in Administrator account RID 500 (FilterAdministratorToken set to 0x1): Only domain accounts members of the local Administrators group

Network logon -> Yes

Remote Desktop Protocol (RDP)

Terminal Services TCP port 3389

Any local and domain accounts members of the local Administrators (SID: S-1-5-32-544) or Remote Desktop Users (SID: S-1-5-32-555) groups

Yes, if Restricted Admin mode is enabled server-side

Windows Management Instrumentation (WMI)

RPC TCP port 135 RPC randomly allocated high TCP ports: - TCP ports 1024 - 5000 (<= Windows 2003R2) - TCP ports 49152 - 65535

Similar privileges to PsExec

Network logon -> Yes

Windows Remote Management (WinRM)

WinRM 1.1 and earlier: HTTP port 80 or HTTPS port 443 WinRM 2.0: HTTP port 5985 or HTTPS port 5986

Similar privileges to PsExec with the addition of membership to the Remote Management Users (SID: S-1-5-32-580) group

Network logon -> Yes

Distributed Component Object Model (DCOM)

Same TCP ports as WMI

Similar privileges to PsExec with the addition of membership to the Distributed COM Users (SID: S-1-5-32-562) group depanding on the target host configuration

Network logon -> Yes

Remote Windows services

TCP port 445

Similar privileges to PsExec

Network logon -> Yes

Remote scheduled tasks

TCP port 445

Similar privileges to PsExec

Network logon -> Yes

Third parties remote administration IT tools

AnyDesk: TCP port 7070 TeamViewer: TCP / UDP ports 5938 ...

Technology dependent

Likely not

To quickly identity which servers or workstations in the domain are exposing one of the service above from your network standpoint, AD queries and nmap can be used in combination (refer to the [Active Directory] Methodology - Domain Recon note).

Note that the Impacket Python scripts presented below are available as static stand-alone binaries for both Windows and Linux x64 operating systems on the following GitHub repository:

https://github.com/Qazeer/OffensivePythonPipeline

https://github.com/ropnop/impacket_static_binaries

For the forensics artefacts induced by the different lateral movement technics refer to the [DFIR] Windows - Analysis - Lateral movement note.

References

https://ss64.com/nt/sc.html

https://support.microsoft.com/en-us/help/251192/how-to-create-a-windows-service-by-using-sc-exe

https://posts.specterops.io/offensive-lateral-movement-1744ae62b14f

https://www.contextis.com/en/blog/lateral-movement-a-deep-look-into-psexec

https://docs.microsoft.com/fr-fr/windows/win32/winrm/portal

https://docs.microsoft.com/fr-fr/windows/win32/wmisdk/wmi-start-page

https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf

https://blog.cobaltstrike.com/2017/05/23/cobalt-strike-3-8-whos-your-daddy/

https://blog.cobaltstrike.com/2015/12/16/windows-access-tokens-and-alternate-credentials/

https://blog.cobaltstrike.com/2015/05/21/how-to-pass-the-hash-with-mimikatz/

https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens

http://woshub.com/powershell-remoting-via-winrm-for-non-admin-users/

https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/

https://www.cybereason.com/blog/dcom-lateral-movement-techniques

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b0

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/ba4c4d80-ef81-49b4-848f-9714d72b5c01

https://blog.varonis.fr/dcom-technologie-distributed-component-object-model/

https://gallery.technet.microsoft.com/scriptcenter/89a5e3c2-0a1c-4471-b78c-136606cafdfb

https://blog.f-secure.com/endpoint-detection-of-remote-service-creation-and-psexec/

Applied Incident Response, Steve Anson

https://docs.microsoft.com/en-us/windows/win32/api/lmshare/nf-lmshare-netshareadd

https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/

Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf

PreviousLocal persistenceNextLocal credentials re-use

Last updated 3 years ago