After an adversary establishes a foothold in the environment and/or harvests valid credentials, the next step is usually lateral movement. Lateral movement is a set of techniques that allows an attacker to move deeper into the target environment and search for high-value assets and sensitive data, including new credentials.

We will start with a scenario in which an attacker obtained a clear-text password (e.g., successful password spray attack) and now tries to blend in with usual environment traffic by abusing administrative protocols. As a next step, we will discuss how to relay the hash and the prerequisites for this move to be successful. To perform lateral movement, the attacker does not only require an New Technology LAN Manager (NTLM) response or clear-text password; it can be any other form of credential material: NT hash, key, or ticket. As Kerberos is recommended by Microsoft as the primary secure authentication protocol in...

In this chapter, you will need to have access to the following:

• VMware Workstation or Oracle VirtualBox with at least 16 GB of RAM, 8 CPU cores, and 55 GB of total space (more if you take snapshots)
• A Linux-based operating system is strongly recommended
• Installed Vagrant with a plugin for the corresponding virtualization platform and Ansible
• GOADv2 project with all machines up and running

In this section, we will cover various administration protocols that are usually used by IT staff inside the domain for day-to-day support activities. We will discuss PowerShell features such as PSRemoting and Just Enough Administration (JEA). The Remote Desktop Protocol (RDP) is one of the most common protocols used by administration as well. We will briefly go through other protocols that can be used for lateral movement such as WMI, SMB, DCOM, and PSExec from Impacket.

PSRemoting and JEA

PSRemoting allows you to connect to multiple computers and run the commands on them. Another option is that you can have a one-to-one interactive shell on the target machine. For simplicity, you can think of it as SSH, but for Windows to run PowerShell commands. In a nutshell, the client tries to connect to a tiny web server running on a destination server called the WinRM listener. HTTP or HTTPS protocols can be used to provide transport for...

In the previous chapter, we covered different possibilities to capture the NTLM response by forcing authentication or using MitM. Now we are getting to the answer of why we want to capture responses. Before we jump into practice, some theory concepts and caveats need to be explained first.

First, there are two versions of the NTLM protocol (v1 and v2). Next, NTLM authentication messages can be relayed cross-protocol as they are protocol-independent. It is important to understand what protocol was used to capture NTLM authentication and what protocol we are planning to relay it over. The following mindmap was created by nwodtuhs and is a good reference for our discussion.

Figure 5.6 – NTLM relay

Let us focus more on an important topic, which is signing, especially for SMB and LDAP. Signing configuration and existence is controlled by settings on the client and server side. For SMB, it will depend on the protocol version and whether...

This section is about impersonation. Let's say an attacker compromised a machine and dumped hashed credentials from the LSASS process using one of many available ways. Usually, the next step is to perform lateral movement by starting a new logon session and trying to access other company resources. We will discuss the most common ways to perform such an activity together with OpSec considerations. Pass the certificate will be covered in Chapter 8 related to Active Directory Certificate Services.

Pass-the-hash

We are going to start with good old pass-the-hash. This method of authentication itself is quite straightforward. It relies only on the NTLM protocol, not touching Kerberos at all. This technique can be used for local and domain accounts. To perform a pass-the-hash attack, the attacker needs to have administrative privileges on the box.

Note

There is a detailed and well-written description of what is happening under the hood by hackndo in his...

First of all, we need to discuss what delegation is and why it exists. Services within Active Directory sometimes need to be accessed by other services on behalf of the domain user. Think of a web server authenticating to the database on the backend on behalf of the user. There are three types of delegation available in Active Directory (AD) – unconstrained, constrained, and resource-based. Information about delegation can be found by using BloodHound, PowerView, or the AD module. We will cover the types of delegation in the following respective sections.

Note

For our lab, Mayfly prepared, as usual, a great walk-through to follow: https://mayfly277.github.io/posts/GOADv2-pwning-part10/.

Unconstrained delegation

We will start our journey with the oldest type of delegation. With unconstrained delegation enabled on the computer or user, it is possible to impersonate an authenticating user or computer to any service on any host. If we compromise the...

In this section, we are going to discuss various ways to abuse forest trust for lateral movement. Movement from the child to the parent domain inside the forest is covered in Chapter 6/

We will start by covering the necessary theory and then apply it to practice. As stated by Microsoft, a forest is a security boundary and consists of one or more AD domains that share a common schema, configuration, and global catalog. The schema defines objects within the forest, and the global catalog contains a partial attribute set of each object in the forest domains. There are six types of trust relationships; we will focus our attention on the External and Forest types. To understand more about security boundaries, we need to discuss the Security Identifier (SID), the SID history attribute, and SID filtering.

SID is a unique identifier assigned to each security principal in the domain. SID filtering is a mechanism that filters out SIDs from other domains...

This chapter has covered the topic of lateral movement. We discussed how administrative protocols can be used for movement across the environment. It is an effective way to blend in with normal traffic and fly under the radar. The concept of relaying the hash is a powerful weapon in environments lacking hardening. Simple recommendations such as disabling unused protocols and services can significantly improve security posture. It is important to mention that, in complex environments, even simple changes can create chaos and outages, and thorough testing is required. A deep dive into Kerberos authentication, different delegation types, and ways to abuse them helped to understand in more detail the complexity of the Kerberos protocol itself and the security implications of each delegation type. We have demonstrated in practice that for successful lateral movement, attackers do not necessarily need the victim’s password. It can be any form of credential material, such as...

1. Evil-WinRM: https://github.com/Hackplayers/evil-winrm
2. Set up JEA in the lab: https://cheats.philkeeble.com/active-directory/ad-privilege-escalation/jea
3. RACE toolkit: https://github.com/samratashok/RACE
4. User Rights Assignment: RDP - https://blog.cptjesus.com/posts/userrightsassignment/
5. RestrictedAdmin: https://github.com/GhostPack/RestrictedAdmin
6. SharpRDP: https://github.com/0xthirteen/SharpRDP
7. SharpRDPThief: https://github.com/passthehashbrowns/SharpRDPThief
8. Impacket: https://github.com/fortra/impacket
9. CVE-2019-1019 writeup: https://securityboulevard.com/2019/06/your-session-key-is-my-session-key-how-to-retrieve-the-session-key-for-any-authentication/
10. Dementor: https://github.com/NotMedic/NetNTLMtoSilverTicket/blob/master/dementor.py
11. Drop-the-MIC scanner: https://github.com/fox-it/cve-2019-1040-scanner
12. Checking the username of logged-in users to the Kerberos tickets: https://gist.github.com/JoeDibley/fd93a9c5b3d45dbd8cbfdd003ddc1bd1...

These aids for further study will let you dive deeper into the attacks covered in the chapter:

• The original research behind the SharpRDP tool creation: https://0xthirteen.com/2020/01/21/revisiting-remote-desktop-lateral-movement/
• Dumping RDP credentials with the help of Mimikatz: https://pentestlab.blog/2021/05/24/dumping-rdp-credentials/
• Microsoft documentation about Remote Credential Guard: https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard
• Great research published by 0xf0x about Impacket usage and detection: https://neil-fox.github.io/Impacket-usage-&-detection/
• Detailed publication about artifacts left by running remote command execution: https://www.synacktiv.com/publications/traces-of-windows-remote-command-execution.html
• More information about ASR implementation: https://www.joeyverlinden.com/implementing-and-monitoring-attack-surface-reduction-rules-asr/
• Great theory background about...