understanding windows lateral movements · 2021. 4. 29. · benjamin delpy –“abusing microsoft...
TRANSCRIPT
![Page 1: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/1.jpg)
Understanding Windows
Lateral Movements
ATTL4S & ElephantSe4l
![Page 2: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/2.jpg)
www.crummie5.club
# ATTL4S
• Daniel López Jiménez (a.k.a. ATTL4S)• Twitter: @DaniLJ94• GitHub: @ATTL4S• Youtube: ATTL4S
• Loves Windows and Active Directory security• Senior Security Consultant at NCC Group• Associate Teacher at Universidad Castilla-La Mancha (MCSI)
Confs: NavajaNegra, No cON Name, h-c0n, Hack&Beers
Posts: Crummie5, NCC Group’s blog, Hackplayers
Certs: CRTO, PACES, OSCP, CRTE
![Page 3: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/3.jpg)
www.crummie5.club
# ElephantSe4l
• Godlike Programmer and Elephant Seal• Twitter: @ElephantSe4l• GitHub: @ElephantSe4l
• Very curious, he enjoys understanding complex and weird things
• Mind behind all the low-level contents of my talks
This has been written by ATTL4S
![Page 4: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/4.jpg)
www.crummie5.club
WWW.CRUMMIE5.CLUB
![Page 5: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/5.jpg)
www.crummie5.club
The goal of this talk is understanding how to perform lateral movements in
Windows and Active Directory environments by comprehending the art of user
impersonation
![Page 6: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/6.jpg)
Credential theft│ Password│ Hash│ Token
UserA UserB
HostA
UserB
HostB
![Page 7: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/7.jpg)
www.crummie5.club
Agenda
1. Ways of Authentication
2. Authentication Packages
3. Logon Sessions
4. Access Tokens
5. User Impersonation
6. Let’s Move
![Page 8: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/8.jpg)
www.crummie5.club
Ways of Authentication
![Page 9: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/9.jpg)
[SAM] HostA\UserA [SAM] HostA\UserB
HostA
HostB
[NTDS] Corp\DomainUserA
[NTDS] Corp\DomainUserB
DC
[NTDS] Corp\DomainUserA
[SAM] : Local Auth[NTDS] : Domain Auth
![Page 10: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/10.jpg)
www.crummie5.club
Remote Authentications
• We don’t care about physical authentications
• We care about remote authentications and they require privileges
• Being a local user in a system doesn’t mean you have privileges
![Page 11: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/11.jpg)
www.crummie5.clubWindows Internals, Part 1: User Mode
![Page 12: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/12.jpg)
www.crummie5.club
Authentication Packages
![Page 13: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/13.jpg)
www.crummie5.clubhttps://support.microsoft.com/en-sg/help/102716/ntlm-user-authentication-in-windows
Local Auth - Msv1_0 (NTLM)
HostA\ATTL4S
SAM
HostA
I’m HostA\attl4s
Challenge
Challenge signed with user’s hash
*Checks the hash* OK
![Page 14: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/14.jpg)
www.crummie5.clubhttps://docs.microsoft.com/es-es/windows-server/security/kerberos/kerberos-authentication-overview
Domain – Kerberos AP/SSP*
Auth
NTDS
DCCorp\ATTL4S HostA OK
Pass-through (Netlogon)
OK
*NTLM still supported by default
![Page 15: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/15.jpg)
www.crummie5.club
LSAAuth Auth package
Logon Session
Security information
Creates
Provides
TOKEN
User SID
Logon Session ID
Integrity
Groups
…
Creates
UserA HostA
Physical
Remote
NTLM
Kerberos
![Page 16: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/16.jpg)
www.crummie5.club
Logon Sessions
![Page 17: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/17.jpg)
www.crummie5.club
Logon Sessions
• Logon sessions are created when an authentication is successful (physically or remotely)
• Credentials (if any) are tied to logon sessions
• Two types:
• Interactive / Non-Network
• Non-interactive / Network / Remote
https://docs.microsoft.com/en-us/windows/desktop/secauthn/lsa-logon-sessions
![Page 18: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/18.jpg)
www.crummie5.club
Logon Sessions - Interactive
https://docs.microsoft.com/en-us/windows/desktop/secauthn/lsa-logon-sessions
• The user sends credentials and are stored in lsass.exe
• Typically the auth screen (Winlogon→ LogonUI)
![Page 19: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/19.jpg)
www.crummie5.club
Logon Sessions - Network
https://docs.microsoft.com/en-us/windows/desktop/secauthn/lsa-logon-sessions
• The user proves he has credentials but does not send them to the target
• Usually after an interactive authentication for SSO purposes
![Page 20: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/20.jpg)
www.crummie5.clubhttps://docs.microsoft.com/en-us/windows/desktop/secauthn/lsa-logon-sessions
![Page 21: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/21.jpg)
www.crummie5.club
![Page 22: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/22.jpg)
www.crummie5.club
Access Tokens
![Page 23: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/23.jpg)
www.crummie5.club
LSAAuth Auth package
Logon Session
Security information
Creates
Provides
TOKEN
User SID
Logon Session ID
Integrity
Groups
…
Creates
UserA HostA
Physical
Remote
NTLM
Kerberos
![Page 24: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/24.jpg)
www.crummie5.club
Access Tokens
• When a logon session is created, information is returned to the Local Security Authority (LSA) that is used to create a token• Each Access Token references to a Logon Session
• An access token is a protected object that contains the security context of a user• Every process of the user will have a copy of the token
• Process/Thread → Token → Logon Session → Credentials
https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens
![Page 25: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/25.jpg)
www.crummie5.club
• User SID
• Groups
• Integrity
• Token type
• Privileges
• Logon Session
• ….
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals
![Page 26: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/26.jpg)
www.crummie5.club
An Access token is not a single thing that represents a user’s identity
• The same user can have different tokens and sessions in differentprocesses/threads
• i.e: UAC (medium and high integrity processes)
![Page 27: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/27.jpg)
www.crummie5.club
![Page 28: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/28.jpg)
Passwords.txt
DACL
Object’s Security Descriptor
Access Denied
S-1-5-21-domain-1004 (wint3r)
Read, Write, Execute
ACE 1
Access Allowed
S-1-5-32-544 (Administrators)
Write
ACE 2
…
Attl4s’s Process
…
S-1-5-32-544 (Administrators)
…
Groups
Wint3r’s Process
…
S-1-5-21-domain-1004
User SID
Access Token
Access Token
![Page 29: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/29.jpg)
www.crummie5.club
Token Types
• Primary Tokens (process tokens)
• Every process has a primary token asociated
• When a new process is created, the default action is to inherit the primary token of its parent
• Impersonation Tokens (thread tokens)
• They enable a thread to run in a different context from the process that owns it
• Usually used for client and server scenarios (service accounts)
https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens - https://www.exploit-db.com/papers/13054
![Page 30: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/30.jpg)
www.crummie5.club
Impersonation Tokens
https://es.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
![Page 31: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/31.jpg)
www.crummie5.club
Impersonation Tokens
• Impersonation Tokens have different “impersonation” levels• Some services may only need to identify usernames• Other services may need the full security context of a user
• We only care “fully impersonated” tokens (also called Delegation Tokens).
• Delegation Tokens reference to a logon session with credentials in memory• Created by interactive logons• Console logons, RunAs, PsExec with -u flag, RDP… or delegation!
https://docs.microsoft.com/en-us/windows/desktop/secauthz/impersonation-levels
![Page 32: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/32.jpg)
www.crummie5.club
User Impersonation
![Page 33: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/33.jpg)
LSAAuth Auth package
Logon Session
Security information
Creates
Provides
TOKEN
User SID
Logon Session ID
Integrity
Groups
…
Creates
UserA HostA
Do I have passwords?
Do I have hashes?
Can I manipulate interesting tokens?
![Page 34: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/34.jpg)
www.crummie5.club
Do I Have Passwords?
![Page 35: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/35.jpg)
www.crummie5.club
Runas.exe
• The process created by runas has an access token similar to one done by an interactive-logon
• Credentials in memory
• Credentials must be verified before creating the process
• Local users are verified through SAM
• Domain users are verified through NTDS
• What happens when credentials can’t be verified? Runas fails
https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithlogonw
![Page 36: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/36.jpg)
www.crummie5.club
• Some Windows tools for remote management just work with SSO authentication
• E.g. sc.exe or schtasks.exe
• Sometimes you know credentials runas can’t verify
• Local users of other systems
• Domain users of non-trusted domains
• What do you do in these cases?
https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithlogonw
![Page 37: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/37.jpg)
www.crummie5.club
The Netonly Flag
![Page 38: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/38.jpg)
www.crummie5.club
The Netonly Flag
• Tells runas that the specified credentials are for remote access only
• Windows will not validate the credentials (WATCHOUT wrong passwords)
• When you interact with a network resource, Windows will use the credential referred to by the logon session created
• Therefore, the Logon Session will not match the identity of the access token
https://blog.cobaltstrike.com/2015/12/16/windows-access-tokens-and-alternate-credentials/
![Page 39: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/39.jpg)
New Logon Session
TOKEN
User SID
Logon Session ID
Integrity
Groups
…
TOKEN
User SID
New Logon Session ID
Integrity
Groups
…1. Windows will create a new logon
session with the credentials
2. It will copy the currentuser’s token and substitute
the default logon session forthe new one
New Process
3. The new process will run with this token
Original Logon Session
References
References
![Page 40: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/40.jpg)
www.crummie5.club
Do Your Own Runas
CreateProcessWithLogonW, CreateProcessAsUser, CreateProcessWithTokenW, LogonUserA…
• MSF• exploit/windows/local/run_as• post/windows/manage/run_as• post/windows/manage/run_as_psh
• Cobalt Strike• MakeToken• RunAs
• Covenant / SharpSploit• MakeToken
![Page 41: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/41.jpg)
![Page 42: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/42.jpg)
www.crummie5.club
Do I Have Hashes?
![Page 43: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/43.jpg)
www.crummie5.club
MSV1_0 / NTLMPass-the-Hash
![Page 44: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/44.jpg)
1. New logon session
2. Update credential material (hash) in that logon session (ADMIN)
3. Copy the original token and refer it to the new logon session
4. Use this new token
5. Runas /netonly but with the hash instead the password!!
PASS-THE-HASH (msv1_0)
New Logon SessionWith Hash(msv1_0)
TOKEN
User SID
Logon Session ID
Integrity
Groups
…
TOKEN
User SID
Integrity
Groups
…
Original Logon Session
Du
plicate
Logon Session ID
![Page 45: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/45.jpg)
Patatas123
UserA HostA
LSASS (msv1_0)
Access
UserB HostA
LSASS (msv1_0)
Access
BD35111AB3B0D46129EFBDBAB06B49C4
PASS-THE-HASH
NORMAL
Benjamin Delpy – “Abusing Microsoft Kerberos. Sorry you guys don’t get it” – Blackhat 2014
![Page 46: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/46.jpg)
![Page 47: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/47.jpg)
www.crummie5.club
KERBEROS SSP/APOverPass-the-hash > Pass-the-Ticket > AskTGT
![Page 48: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/48.jpg)
1. New logon session
2. Update credential (hash and/or KEYS) in that logon session (ADMIN)
3. Copy the original token and refer it to the new logon session
4. Use this new token
5. Runas /netonly but with the hash instead the password!!
OVERPASS-THE-HASH (Kerberos SSP/AP)
New Logon SessionWith Hash
(Kerberos SSP/AP)
TOKEN
User SID
Logon Session ID
Integrity
Groups
…
TOKEN
User SID
Integrity
Groups
…
Original Logon Session
Du
plicate
Logon Session ID
![Page 49: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/49.jpg)
Patatas123
UserA
HostA
LSASS (Kerberos)
UserB
LSASS (Kerberos)
BD35111AB3B0D46129EFBDBAB06B49C4
OVERPASS-THE-HASH
NORMAL
DC
AS-REP
AS-REQ
TGS-REP
TGS-REQ
HostA
DC
AS-REP
AS-REQ
TGS-REP
TGS-REQ
Benjamin Delpy – “Abusing Microsoft Kerberos. Sorry you guys don’t get it” – Blackhat 2014
![Page 50: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/50.jpg)
1. Obtain (or create) a TGT/TGS ticket somewhere.
2. Import the ticket through Kerberos APIs.
3. Profit.
PASS-THE-TICKET (Kerberos SSP/AP)
UserB
LSASS (Kerberos)
PASS-THE-TICKET
HostA
DCTGS-REP
TGS-REQ
Kerberos LSA API = NO ADMIN ☺
Benjamin Delpy – “Abusing Microsoft Kerberos. Sorry you guys don’t get it” – Blackhat 2014
![Page 51: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/51.jpg)
1. Generate legitimate Kerberos traffic.
ASK-TGT/TGS (Kerberos SSP/AP)
UserB
ASK-TGT/TGS
HostA
DC
Access
AS-REQ
AS-REP
TGS-REP
TGS-REQNO LSASS = NO ADMIN ☺
https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
![Page 52: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/52.jpg)
![Page 53: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/53.jpg)
![Page 54: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/54.jpg)
www.crummie5.club
Can I Manipulate Interesting Tokens?
![Page 55: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/55.jpg)
www.crummie5.clubLuke Jennings – “Security Implications of Windows Access Tokens - A Penetration Tester's Guide”
Creating and manipulating logon sessions with passwords/hashes is nice but… what if there is already what we need in the system?
![Page 56: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/56.jpg)
www.crummie5.club
Token Manipulation
• With privileges, we can manipulate any token in the system!
• Recall that credentials are tied to logon sessions
• Non-Network logon → Credentials in lsass.exe
• Network logon → No credentials
• Logon with no creds means token with no creds
• Token with no creds means USELESS TOKEN
Jared Atkinson & Robby Winchester – “A Process is No One. Hunting for Token Manipulation” – Blackhat 2017
![Page 57: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/57.jpg)
www.crummie5.club
Token Impersonation / Theft
![Page 58: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/58.jpg)
TOKEN
User SID
Logon Session ID
Integrity
Groups
…
TOKEN
User SID
Logon Session ID
Integrity
Groups
…
New Processor
Existing Thread
Logon Session
Process
DuplicateTokenEx()
*
▪ CreateProcessWithTokenW() → Creates a process with thetoken.
▪ ImpersonateLoggedOnUser() → Assigns a primary orimpersonation token to the calling thread
▪ SetTheadToken()→ Assigns an impersonation token to a thread
*
![Page 59: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/59.jpg)
![Page 60: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/60.jpg)
www.crummie5.club
Injecting into the Context
![Page 61: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/61.jpg)
TOKEN
User SID
Logon Session ID
Integrity
Groups
…
Logon Session
Process
Payload
References
Uses
Injects*
* Any kind of process injection
![Page 62: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/62.jpg)
![Page 63: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/63.jpg)
www.crummie5.club
Let’s Move
![Page 64: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/64.jpg)
www.crummie5.club
Remote Code Execution
• Remote Service Control Manager
• Remote Task Scheduler Service
• Remote Registry
• WS-Man
• DCOM
• WMI
• …
![Page 65: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/65.jpg)
![Page 66: Understanding Windows Lateral Movements · 2021. 4. 29. · Benjamin Delpy –“Abusing Microsoft Kerberos. Sorry you guys don’t get it” –Blackhat 2014. KERBEROS SSP/AP OverPass-the-hash](https://reader036.vdocuments.us/reader036/viewer/2022071518/613c14fc4c23507cb635276b/html5/thumbnails/66.jpg)
Is anybody awake?
MANY THANKS!Any Question?