Understanding Windows

Lateral Movements
ATTL4S & ElephantSe4l
# ATTL4S
• Daniel López Jiménez (a.k.a. ATTL4S)
• Twitter: @DaniLJ94
• GitHub: @ATTL4S
• Youtube: ATTL4S
• Loves Windows and Active Directory security
• Senior Security Consultant at NCC Group
• Associate Teacher at Universidad Castilla-La Mancha (MCSI)

Confs: NavajaNegra, No cON Name, h-c0n, Hack&Beers

Posts: Crummie5, NCC Group’s blog, Hackplayers
Certs: CRTO, PACES, OSCP, CRTE

www.crummie5.club
# ElephantSe4l
• Godlike Programmer and Elephant Seal
• Twitter: @ElephantSe4l
• GitHub: @ElephantSe4l

• Very curious, he enjoys understanding complex and weird things

• Mind behind all the low-level contents of my talks

This has been written by ATTL4S

www.crummie5.club
WWW.CRUMMIE5.CLUB

www.crummie5.club
 The goal of this talk is understanding how to perform lateral movements in
Windows and Active Directory environments by comprehending the art of user
impersonation

www.crummie5.club
 Credential theft
│ Password
│ Hash
│ Token
UserA UserB

HostA

UserB
HostB
Agenda
1. Ways of Authentication
2. Authentication Packages
3. Logon Sessions
4. Access Tokens
5. User Impersonation
6. Let’s Move

www.crummie5.club
Ways of Authentication

www.crummie5.club
[SAM] : Local Auth
[NTDS] : Domain Auth

HostA DC

[SAM] HostA\UserA [SAM] HostA\UserB

[NTDS] Corp\DomainUserA

HostB

[NTDS] Corp\DomainUserB
Remote Authentications
• We don’t (usually) care about physical authentications

• We care about remote authentications and they require privileges

• Being a local user in a system doesn’t mean you have privileges

www.crummie5.club
Authentication Packages
(Security Support Providers / SSP)

www.crummie5.club
Windows Internals, Part 1: User Mode www.crummie5.club
https://ldapwiki.com/wiki/Security%20Support%20Provider%20Interface www.crummie5.club
 Local Authentications - Msv1_0 (NTLM)

I’m HostA\attl4s

Challenge

Challenge signed with user’s hash

SAM
HostA\ATTL4S *Checks the hash* OK HostA

https://support.microsoft.com/en-sg/help/102716/ntlm-user-authentication-in-windows www.crummie5.club
 Domain Authentications – Kerberos AP/SSP*

Authentication Pass-through (Netlogon)

NTDS
Corp\ATTL4S OK HostA OK DC

*NTLM still supported by default

https://docs.microsoft.com/es-es/windows-server/security/kerberos/kerberos-authentication-overview www.crummie5.club
 Creates
Logon Session
TOKEN
Physical NTLM
User SID
Remote Kerberos
Logon Session ID
Auth Auth package LSA Creates
Integrity
Groups
UserA HostA
…
Security information
Provides

www.crummie5.club
Logon Sessions

www.crummie5.club
 Logon Sessions
• Logon sessions are created when an authentication is successful (physically or
remotely)

• Credentials (if any) are tied to logon sessions

• Two types:
• Interactive / Non-Network
• Non-interactive / Network

https://docs.microsoft.com/en-us/windows/desktop/secauthn/lsa-logon-sessions www.crummie5.club
 Logon Sessions - Interactive
• User sends credentials and are stored in lsass.exe for later use (SSO)
• Typically when you log in through Window’s auth screen (Winlogon → LogonUI)

https://docs.microsoft.com/en-us/windows/desktop/secauthn/lsa-logon-sessions www.crummie5.club
 Logon Sessions - Network
• User proves he has credentials but does not send them to the target
• Usually after an interactive authentication (since you have creds cached, you
don’t have to specify them again)

https://docs.microsoft.com/en-us/windows/desktop/secauthn/lsa-logon-sessions www.crummie5.club
https://docs.microsoft.com/en-us/windows/desktop/secauthn/lsa-logon-sessions www.crummie5.club
www.crummie5.club
Access Tokens

www.crummie5.club
 Creates
Logon Session
TOKEN
Physical NTLM
User SID
Remote Kerberos
Logon Session ID
Auth Auth package LSA Creates
Integrity
Groups
UserA HostA
…
Security information
Provides

www.crummie5.club
 Access Tokens
• When a logon session is created, information is returned to the Local Security
Authority (LSA) that is used to create an Access Token

• An access token is a protected object that contains the security context of a user
• Every user’s process will have a copy of the token

• Each Access Token references to a Logon Session

• Process/Thread → Access Token → Logon Session → Credentials cached

https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens www.crummie5.club
 • User SID
• Groups
• Integrity
• Token type
• Privileges
• Logon Session
• ….

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals www.crummie5.club
 Access Tokens (cont.)
An Access token is not a single thing that represents a user’s identity

• The same user can have different tokens and sessions in different
processes/threads

• i.e: UAC (medium and high integrity processes)

https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens www.crummie5.club
www.crummie5.club
 The Purpose
• Access Tokens represent the security context of a user
• SID, privileges, groups he’s a member of, integrity of the associated process…

• Windows uses these tokens for local access control purposes

• Objects have associated a list of control rules (DACL)
• Processes accessing objects have associated an Access Token

• The information provided by a Token is compared with the rules of an object to

determine if access is granted or denied

https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens www.crummie5.club
 Attl4s’s Process

Passwords.txt Access Token

…
Object’s Security
Descriptor Groups
S-1-5-32-544
… (Administrators)
…

DACL
Wint3r’s Process
Access Denied

ACE 1 S-1-5-21-domain-1004 (wint3r)

Read, Write, Execute Access Token

Access Allowed
…
ACE 2 S-1-5-32-544 (Administrators)

Write
User SID

S-1-5-21-domain-1004
 Token Types
• Primary Tokens (process tokens)
• Every process has a primary token associated
• When a new process is created, the default action is inheriting the primary
token of its parent

• Impersonation Tokens (thread tokens)

• They enable a thread to run in a different security context (different token)
than the parent process
• Usually used for client and server scenarios

https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens - https://www.exploit-db.com/papers/13054 www.crummie5.club

 Impersonation Tokens

https://es.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment www.crummie5.club
 Impersonation Tokens
• Impersonation Tokens have different “impersonation” levels
• Some services may only require to identify usernames
• Other services may need the full security context of a user

• The resulting Access Token will differ depending on how the service is configured

https://docs.microsoft.com/en-us/windows/desktop/secauthz/impersonation-levels www.crummie5.club
 Impersonation Tokens (cont.)
• An attacker will typically care about “fully impersonated” tokens
• Tokens that could grant local privilege escalation opportunities
• Tokens that could grant lateral movement opportunities for other systems

• The later ones (lateral movement) are commonly called “Delegation Tokens”

• Delegation Tokens refer to a logon session with credentials in memory that can be
used to move laterally to other computers
• Created by interactive logons, console logons, RunAs, PsExec with -u flag, RDP and any
credential delegation

https://docs.microsoft.com/en-us/windows/desktop/secauthz/impersonation-levels www.crummie5.club
User Impersonation

www.crummie5.club
 Do I have hashes / tickets?

Creates Logon
Session TOKEN
User SID
Logon Session ID
Auth Auth package LSA Creates
Integrity
Groups
UserA HostA
…
Security
Provides information

Do I have passwords?
Can I manipulate interesting tokens?
Do I Have Passwords?

www.crummie5.club
 RunAs.exe
• The process created by RunAs has an access token and logon session similar to
the ones done by an interactive logon
• Credentials in memory!

• Credentials must be verified before creating the process

• Local users are verified through SAM
• Domain users are verified through a Domain Controller

• What happens when credentials can’t be verified? - RunAs fails

https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithlogonw www.crummie5.club
 RunAs.exe (cont.)
• Some Windows tools for remote management just work with SSO authentication
• E.g. sc.exe or schtasks.exe

• Sometimes you do possess valid credentials that RunAs cannot verify

• Local users of other systems
• Domain users of non-trusted domains

• What do you do such cases?

https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithlogonw www.crummie5.club
The Netonly Flag

www.crummie5.club
 The Netonly Flag
• Tells RunAs that the specified credentials are for remote access only

• Windows will not validate the credentials you specify

• Watchout wrong credentials!

• When you interact with a network resource, Windows will use the credential
referred to by the logon session created

• Therefore, the Logon Session will not match the identity of the access token

https://blog.cobaltstrike.com/2015/12/16/windows-access-tokens-and-alternate-credentials/ www.crummie5.club
 TOKEN
User SID
Original Logon References Logon Session ID
Session Integrity
Groups
…
2. The current user’s token
will be duplicated and its
logon session ID substituted
TOKEN with the newer one
User SID
New Logon References
New Logon
Session Session ID
Integrity
New Process
Groups
1. Windows will create a new logon
…
session with the credentials specified
3. The new process will run with this token
Your Own Runas
CreateProcessWithLogonW, CreateProcessAsUser, CreateProcessWithTokenW, LogonUserA…

• MSF
• exploit/windows/local/run_as
• post/windows/manage/run_as
• post/windows/manage/run_as_psh

• Cobalt Strike
• MakeToken
• RunAs

• Covenant / SharpSploit
• MakeToken

www.crummie5.club
Do I Have Hashes?

www.crummie5.club
MSV1_0 / NTLM
Pass-the-Hash

www.crummie5.club
PASS-THE-HASH (msv1_0)
1. New logon session
2. Update credential material (hash) in that logon session (ADMIN)
TOKEN
3. Duplicate the original token and refer it to the new logon session
User SID
4. Use this new token Logon Session ID
5. Runas /netonly but with the hash instead of the password!! Integrity
Groups

Duplicate
Original Logon …
Session

TOKEN
User SID
Logon Session ID
New Logon Session Integrity
With Hash
(msv1_0) Groups
…
NORMAL
LSASS (msv1_0)

Patatas123 BD35111AB3B0D46129EFBDBAB06B49C4 Access

UserA HostA

PASS-THE-HASH
LSASS (msv1_0)

Access

UserB HostA

Benjamin Delpy – “Abusing Microsoft Kerberos. Sorry you guys don’t get it” – Blackhat 2014
 KERBEROS SSP/AP
OverPass-the-hash > Pass-the-Ticket > AskTGT

www.crummie5.club
OVERPASS-THE-HASH (Kerberos SSP/AP)
1. New logon session
2. Update credential (hash and/or KEYS) in that logon session (ADMIN)
TOKEN
3. Duplicate original token and refer it to the new logon session
User SID
4. Use this new token Logon Session ID
5. Runas /netonly but with the hash instead the password!! Integrity
Groups

Duplicate
Original Logon …
Session

TOKEN
User SID
Logon Session ID
New Logon Session Integrity
With Hash
(Kerberos SSP/AP) Groups
…
NORMAL AS-REQ

AS-REP

LSASS (Kerberos) TGS-REQ

DC
TGS-REP
Patatas123 BD35111AB3B0D46129EFBDBAB06B49C4

UserA

HostA

OVERPASS-THE-HASH AS-REQ

AS-REP

LSASS (Kerberos) TGS-REQ

DC
TGS-REP

UserB

HostA

Benjamin Delpy – “Abusing Microsoft Kerberos. Sorry you guys don’t get it” – Blackhat 2014
 PASS-THE-TICKET (Kerberos SSP/AP)
1. Obtain (or forge) a TGT/ST ticket somewhere
2. Import the ticket through Kerberos APIs

PASS-THE-TICKET
TGS-REQ

LSASS (Kerberos) TGS-REP DC

UserB

HostA

Benjamin Delpy – “Abusing Microsoft Kerberos. Sorry you guys don’t get it” – Blackhat 2014
 PASS-THE-TICKET (Kerberos SSP/AP)
1. Obtain (or forge) a TGT/ST ticket somewhere
2. Import the ticket through Kerberos APIs

PASS-THE-TICKET
TGS-REQ

LSASS (Kerberos) TGS-REP DC

Kerberos LSA API = NO ADMIN ☺

UserB

HostA

Benjamin Delpy – “Abusing Microsoft Kerberos. Sorry you guys don’t get it” – Blackhat 2014
 ASK-TGT/ST (Kerberos SSP/AP)
1. Generate legitimate Kerberos traffic to request either a TGT or ST

ASK-TGT/ST
AS-REQ
AS-REP

TGS-REQ
UserB TGS-REP DC

Access
HostA

https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
 ASK-TGT/ST (Kerberos SSP/AP)
1. Generate legitimate Kerberos traffic to request either a TGT or ST

ASK-TGT/ST
AS-REQ
AS-REP

NO LSASS = NO ADMIN ☺
TGS-REQ
UserB TGS-REP DC

Access
HostA

https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
 Can I Manipulate
Interesting Tokens?

www.crummie5.club
 Creating and manipulating logon sessions with passwords/hashes/tickets is
nice but… what if there is already what we need in the system?

Luke Jennings – “Security Implications of Windows Access Tokens - A Penetration Tester's Guide” www.crummie5.club
 Token Manipulation
• With privileges, we can manipulate any token in the system!

• Recall that credentials are tied to logon sessions

• Interactive logon → Credentials in lsass.exe
• Network logon → No credentials in lsass.exe (usually)

• Logon with no creds means token with no creds

• Token with no creds means USELESS TOKEN for lateral movement purposes

Jared Atkinson & Robby Winchester – “A Process is No One. Hunting for Token Manipulation” – Blackhat 2017 www.crummie5.club
Token Impersonation / Theft

www.crummie5.club
 TOKEN
Process User SID
Logon Session ID
Integrity
Groups
…

Logon Session
DuplicateTokenEx()

TOKEN
User SID
Logon Session ID
* Integrity
▪ CreateProcessWithTokenW() → Creates a process with the
token.
Groups New Process
▪ ImpersonateLoggedOnUser() → Assigns a primary or
* or
impersonation token to the calling thread … Existing Thread
▪ SetTheadToken() → Assigns an impersonation token to a
thread
Injecting into the Context

www.crummie5.club
 Uses
Process TOKEN
User SID
Logon Session ID References
Logon Session
Integrity
Groups
* Injects …

Payload

* Any kind of process injection

Let’s Move

www.crummie5.club
Remote Code Execution
• Remote Service Control Manager
• Remote Task Scheduler Service
• Remote Registry
• WS-Man
• DCOM
• WMI
•…

www.crummie5.club
MANY THANKS!
Any Question?

Is anybody awake?