# Lateral movements ### Expired password renewal Expired password of local or domain accounts can be renewed over `SMB` (`MSRPC-SAMR`) using `impacket`'s `smbpasswd.py` Python script. `smbpasswd.py` supports authentication using an account `NTLM` hash. ``` smbpasswd.py [-newpass ''] [:]@ smbpasswd.py [-newpass ''] -hashes @ ``` The account's previous password can be restored using `mimikatz`'s `lsadump::changentlm` function with only the knowledge of the previous `NTLM` hash. Note that the minimum password age policy setting may prevent an immediate password restoration. ``` mimikatz # privilege::debug mimikatz # lsadump::changentlm /server: /user: [/oldpassword: | /old:] [/newpassword: | /new:] ``` ### Lateral movements overview Multiples techniques can be used to access computers remotely: | Technique / Service | Port | Required privileges | Pass-the-Hash? | | -------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | | `PsExec` |

SMB: TCP Port 445
or
SMB over NetBIOS: TCP port 139

If User Account Control (UAC) is disabled (EnableLUA set to 0x0):
Any local and domain accounts members of the local Administrators group

If UAC is enabled (EnableLUA set to 0x1) in default configuration (standard since Windows Vista / Windows Server 2008):
Local built-in Administrator (RID: 500)
Domain accounts members of the local Administrators group (SID: S-1-5-32-544)

If UAC remote restrictions are disabled (LocalAccountTokenFilterPolicy set to 0x1):
Any local (and domain) accounts members of the local Administrators group

If UAC is enforced for the local built-in Administrator account RID 500 (FilterAdministratorToken set to 0x1):
Only domain accounts members of the local Administrators group

Network logon
-> Yes

| | `Remote Desktop Protocol (RDP)` | `Terminal Services` TCP port 3389 | Any local and domain accounts members of the local `Administrators` (SID: `S-1-5-32-544`) or `Remote Desktop Users` (SID: `S-1-5-32-555`) groups | Yes, if `Restricted Admin` mode is enabled server-side | | `Windows Management Instrumentation (WMI)` |

RPC TCP port 135
RPC randomly allocated high TCP ports:
- TCP ports 1024 - 5000 (<= Windows 2003R2)
- TCP ports 49152 - 65535

| Similar privileges to `PsExec` |

Network logon
-> Yes

| | `Windows Remote Management (WinRM)` |

WinRM 1.1 and earlier:
HTTP port 80
or
HTTPS port 443

WinRM 2.0:
HTTP port 5985
or
HTTPS port 5986

| Similar privileges to `PsExec` with the addition of membership to the `Remote Management Users` (SID: `S-1-5-32-580`) group |

Network logon
-> Yes

| | `Distributed Component Object Model (DCOM)` | Same TCP ports as `WMI` | Similar privileges to `PsExec` with the addition of membership to the `Distributed COM Users` (SID: `S-1-5-32-562`) group depanding on the target host configuration |

Network logon
-> Yes

Network logon
-> Yes

Network logon
-> Yes

| | Third parties remote administration IT tools |

AnyDesk: TCP port 7070
TeamViewer: TCP / UDP ports 5938
...

| Technology dependent | Likely not | To quickly identity which servers or workstations in the domain are exposing one of the service above from your network standpoint, AD queries and `nmap` can be used in combination (refer to the `[Active Directory] Methodology - Domain Recon` note). Note that the `Impacket` Python scripts presented below are available as static stand-alone binaries for both Windows and Linux x64 operating systems on the following GitHub repository: ``` https://github.com/Qazeer/OffensivePythonPipeline https://github.com/ropnop/impacket_static_binaries ``` **For the forensics artefacts induced by the different lateral movement technics refer to the `[DFIR] Windows - Analysis - Lateral movement` note.** *** ### References Applied Incident Response, Steve Anson Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.qazeer.io/windows/lateral_movements.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.