CrackMapExec

Lab: Lateral Movement

Step 13 – Lateral Movement to WS1 (CrackMapExec)

Teamwork – Team DaMa

Description

In the previous challenge, you were able to retrieve password hashes of multiple local users on the machine FS2. While local users might not look as promising as domain users, chances are that you might still be able to abuse them for lateral movement.

A vulnerability commonly observed in many infrastructures is something called password-reuse between multiple accounts on different systems. A good example of this is the local administrator account (which is present on all Windows systems by default), which might have the same password everywhere (or at least on some systems).

We will now see how to efficiently check for password reuse for the recovered accounts in the Windows Attack Lab.

Questions to Answer

Q1:
What is the vulnerability we are actually exploiting?

A1:
The main vulnerability is the password reuse . For the same account on the diffrent systems the same password is used.

Q2:
How can you efficiently check for password reuse across multiple systems?

A2:

  • With password spraying it’s possible to check the password reuse over multiple systems (if passwords are known).
    e.g. kerbrute:

./kerbrute passwordspray –dc 10.0.1.100 -d winattacklab.local users.txt Winter2019

  • Use of CrackMapExec if the the passwords are unknown but we have access to the NTLM hash (e.g. NTDS.dit)
    e.g. CrackMapExec:

./cme smb 10.0.1.0/24 –local-auth -u cme_users.txt -H cme_hashes.txt

Q3:
What does CrackMapExec actually do under the hood?

A3:
CrackMapExec makes heavy use of the Impacket library and the PowerSploit Toolkit for working with network protocols and performing a variety of post-exploitation techniques.

In our example below the toll performs the following tasks:

./cme smb 10.0.1.0/24 –local-auth -u cme_users.txt -H cme_hashes.txt

  1. Scans the network 10.0.1.0/24for systems with SMB (tcp/445) running.
  2. For the detected systems the tool executes a PTH with the users(cme_users.txt) and hashes(cme_hashes.txt)
  3. Lists the successful PTH attempts

Results:

Q4:
With which user did manage to login to which target with what kind of credential (type & where did you get it from)?

A4:

  1. We get the NTLM hashes from the SAM dump on FS2
  2. With the local support user we are able to access the WS1 with the NTLM hash(password-reuseand PTH)

Pwn3d:

PDF Report:
Readme-Step13

März 10, 2021 | Cybercop