In corporate penetration tests, lateral movement and elevation of privilege are two fundamental concepts for advancing and gaining control of the target. There are a multitude of ways to do one or the other, but today we will present a new technique for reading the content of a lsass dump remotely, significantly reducing latency and detection during password extraction on a set of machines.

The CrackMapExec tool is developed and maintained by Byt3bl33d3r. Its purpose is to asynchronously be able to execute actions on a set of machines. The tool allows you to authenticate on remote machines with a domain or local account, and a password or a LM-NT hash.

How to execute mimikatz remotely 

Download Zip: https://urlcod.com/2vJdy1

To make this more efficient, the idea is to read these offsets and these addresses remotely, on the dump located on the remote target, and to only download the few pieces of dump which contain the expected information.

mimikatz -- French for cute cat -- is a post-exploitation tool intended to help attackers -- whether black hat hackers, red team hackers or penetration testers -- to extract login IDs, passwords and authentication tokens from hacked systems in order to elevate privileges and gain greater access to systems on a breached network.

One way to avoid being blocked by antimalware is to use the Invoke-Mimikatz PowerShell module, which enables an attacker running PowerShell, Microsoft's task automation framework, to load and execute Mimikatz remotely without needing to write the executable to the targeted system's disk.

Whether executing Mimikatz from an executable running on a victim system or executing a utility like PowerShell remotely, commands can be run manually with a console command line or by executing a script to run automatically.

With this, we were in a position to execute commands with local administrator rights on other systems. The goal was now to getuser credentials on each active device. We used the PowerShell script Invoke-Mimikatz.ps1 by Joe Bialek as a basis. Invoke-Mimikatz has already implemented a function to execute Mimikatz on remote computers via WinRM.

Once the script is executed, a Mimikatz output file is available for each host. In order to quickly extract information such as plain-text passwords, we use another PowerShell script (GitHub). Using a regular expression (RegEx), every entry with a password that is not blank can be stored in a file or printed out on the screen.

Crackmapexec (5) is an excellent tool to remotely perform a dump of LSASS. This method is my preferred method for dumping LSASS on an internal penetration test. It scales really well as you can simply point and shoot at a whole subnet or list of IP addresses with credentials that have local admin access:

Lsassy (7) is an interesting tool that uses a combination of the above methods to remotely dump LSASS. The default command attempts to use the comsvcs.dll method to dump LSASS via WMI or a remote scheduled task:

WinRM stands for Windows Remote Management and is a service that allows administrators to perform management tasks on systems remotely. Communication is performed via HTTP (5985) or HTTPS SOAP (5986) and support Kerberos and NTLM authentication by default and Basic authentication. Usage of this service requires administrator level credentials.

Windows Remote Shell (WinRS) is a command line tool that is part of Windows 2008 and later. If WinRM is enabled this utility can be used to execute commands on a host remotely. The cmd argument will establish a new shell over command prompt.

It is also possible to upgrade the Windows Remote Shell access to a Meterpreter session via the Metasploit web delivery module. The module will generate a payload which will be hosted locally and will generate the PowerShell command that needs to be executed on the target.

Arbitrary code execution is also possible over WinRM and the following module. The module requires local administrator credentials and the list of hosts that the code will executed. This module can be used for lateral movement purposes into hosts that share the same local administrator account.

Upon exploitation the module will attempt to modify the PowerShell execution policy to allow execution of unsigned scripts. Then a PowerShell script will be written into disk and executed automatically in order to return a Meterpreter session. The module will also attempt to migrate into a SYSTEM level process to avoid loss of the shell due to time limit restriction of WinRS.

For engagements that utilize Empire there is a PowerShell module which can execute code remotely over WinRM in order to expand access inside a network. Requirements for usage of this module are: local administrator credentials, a listener, an agent and a target host.

Pass the hash is difficult to prevent, but Windows has introduced several features to make it harder to execute. The most effective approach is to implement logon restrictions so your privileged account hashes are never stored where they can be extracted. Microsoft provides best practices to follow a tiered administrative model for Active Directory that ensures privileged accounts will be significantly harder to compromise using such methods. Other ways to protect against pass the hash include enabling LSA Protection, leveraging the Protected Users security group and using Restricted Admin mode for Remote Desktop.

Mimikatz.exe can extract plain text passwords from Windows memory, password hashes, Kerberos tickets, etc. Also, mimikatz allows you to perform pass-the-hash, pass-the-ticket attacks or generate Golden Kerberos tickets. The mimikatz functionality is also available in the Metasploit Framework.

As you can see, thanks to mimikatz we got NTLM hashes of all active users! The command was successful because the Debug Mode is enabled on this computer, which allows you to set the SeDebugPrivilege flag for the desired process. In this mode, programs can get low-level access to the memory of processes launched on behalf of the system.

To do it, you need the Debugging Tool for Windows (WinDbg), mimikatz itself and a tool to convert .vmem into a memory dump file (in Hyper-V, it can be vm2dmp.exe or MoonSols Windows Memory toolkit for VMWare vmem-files).

In the mimikatz, there are other options for getting passwords and their hashes from memory (WDigest, LM-hash, NTLM-hash, the module for capturing Kerberos tickets). Therefore it is recommended to implement the following security measures for protection:

The constraints posed by CLM will block many of your exploitations attempts as key functionality in PowerShell is blocked. Bypassing CLM is largely the same as bypassing AppLocker as discussed above. Another way of bypassing CLM is to bypass AppLocker to execute binaries that execute a custom PowerShell runspace (e.g. Stracciatella) which will be unconstrained.

MSSQL databases can be linked, such that if you compromise one you can execute queries (or even OS commands!) on other databases in the context of a specific user (sa maybe? ?). If this is configured, it can even be used to traverse Forest boundaries! If we have SQL execution, we can use the following commands to enumerate database links.

We can also use PowerUpSQL to look for databases within the domain, and gather further information on (reachable) databases. We can also automatically look for, and execute queries or commands on, linked databases (even through multiple layers of database links).

In addition to the scheduled task above, the attackers created another scheduled task with the same name (VV1) on other machines in the network. This task was different from the one above, and it was used to execute a bat script located under c:\$recycle.bin\q.bat, also created by the attackers.

According to our analysis, Cluster A was executed by the Soft Cell activity group, a group that is known to have attacked Telcos in the past in multiple regions and believed to be operating on behalf of Chinese state interests. The intrusions in this cluster span over three years, going back to 2018. The attackers behind it have shown great resourcefulness and adaptiveness in light of mitigation efforts, finding their way back in repeatedly, which may demonstrate how important it was for them to obtain the data from the targeted Telcos.

Execution policy does not apply to one-line PowerShell scripts. We can go one step further and read data contents from file, evaluate it and run our payload. But why not automate this? In my case I was looking for a way to remotely execute Invoke-Mimikatz.ps1 on a number of windows machines without having to tediously upload the script via smbclient, run psexec to disable execution policy, run the script itself and then reverting execution restrictions.

PowerShell is present by default on all Windows 7+ and is becoming the most common way to execute desired scripts in Windows. For this reason, products are starting to block or alert on the use of PowerShell.

User impersonation occurs when a program runs in the security context of a user other than the currently logged-in user. When you run a program (or process) with PsExec, the program is executed on the remote computer impersonating the user account that you're using on your local computer to run PsExec. In other words, the process that you start on a remote computer runs by impersonating your user account on a local system. Impersonation has certain limitations in Windows. The main limitation is that the remote process cannot access any resources on the network. To get around this problem, PsExec allows you to provide alternate credentials using the -u and -p switches.

The most unique feature of PsExec is its ability to temporarily copy a program (or process) and then execute it on one or more remote computers. This is particularly useful when you have a program on your local computer, and you want to run it on the remote computer(s). All you need to do is use PsExec with the -c switch and specify the name of the program on the local computer. Have a look at the following command: 2ff7e9595c