154. Lateral Movement and Pivoting (OBJ 3.7)
Lateral movement and pivoting. If you’ve ever watched American football, you’ve probably seen a lateral pass. Now, a lateral pass occurs when the player tosses the ball to a teammate by throwing it to the side or behind them, and that way you’re moving the ball to another player instead of towards the goal. Now, this doesn’t mean they aren’t still trying to make further progress towards the goal, but at this particular point in the game, it’s more important to get that ball to another player and away from the one who’s holding it. For example, the quarterback because somebody might be trying to tackle them. Now by going laterally, you’re not really making forward progress but you are getting it to a new position where you can then see if there’s another opportunity to move the ball forward.
If you’re lucky, you may be able to get an additional 5 or 10 yards closer to the goal line, because once you catch that lateral pass, you can turn and start running forward. Now, why am I bringing up this idea of a lateral pass? Well, because it’s very similar to the concept known as lateral movement that an attacker might do inside your network. Now lateral movement is a technique to progressively move through your network, to search for key data and assets that are ultimately the target of the attack campaign. As the attacker does this, they’re trying to search for more and more ways to get to their end goal.
And a lot of times, that just means they’re moving to the side and not forward and deeper into your networks. For example, let’s consider the following network. Let’s say that an attacker got one of your wireless clients and they were able to exploit it. They may have used an exploit or a fishing campaign or something else, but for whatever reason, they now have control of that particular system. Now from that single point, they can start searching out the rest of the network. This is what we’re doing as part of lateral movement. So they start looking at the other clients in the wireless network by doing reconnaissance, and doing port scanning, and doing pinging, and doing all sorts of things like that. And then they might go further, and they go after the backbone switch. And then they start doing reconnaissance against the other switch.
And there we see three more machines and a printer. And then they look and they see a bunch of servers. And as they keep going through and doing this reconnaissance and the searching, they’re doing this as a means of preparing for further movement. This is the whole idea with lateral movement. Now another concept that often comes up when we talk about lateral movement, is the concept known as pivoting. Now, pivoting is the use of one infected computer to attack a different computer. Now, this is an important concept because pivoting is going to use the compromised system to attack other systems on the same network, to avoid the restrictions such as firewall configurations, that prevent them from attacking from the outside directly. Now we’re going to cover more about lateral movement and pivoting as we go through the rest of the lessons in this section. And I want you to keep in mind that oftentimes, lateral movement and pivoting, although they sound very similar they are distinctly different. But security professionals will often use them interchangeably. As we go through this section of the course, I am going to use them in their unique method of lateral movement, moving laterally, and pivoting being to use a single system to attack other systems on the network.
155. Pass the Hash (OBJ 3.7)
In this lesson, we are going to talk about the pass the hash attack. Now pass the hash is a network-based attack, where the attacker steals hashed user credentials and uses them as-is in order to try to authenticate to the same network that the hash credentials originate on. Now this is a really complicated way of saying that somebody can steal your password without actually stealing your password, but instead they’re stealing your password hash and they’re using that to authenticate to your network. Now this allows them to have the possibility of presenting that hash without cracking the original password and still be able to authenticate to network protocols such as SMB or Kerberos on a Windows network.
So how does a pass the hash attack actually work? Well first we have a regular user, in this case our victim, who’s going to log onto a machine. When they do that, the DC, the domain controller’s going to verify that user using Kerberos. This takes their username and their password or more accurately the hash of their password, and verifies it with the domain controller. Then we have the user that logs on again a second time. And whenever they log in a second time, instead of going back to that domain controller, it just uses the actual cache that’s stored inside the SAM on that workstation.
This is done through Kerberos. So by having that, we don’t have to go back to the domain controller each time. Now in our third step, we have an attacker who’s actually going to gain access to that work station using some kind of exploit. Now, whatever specific exploit they’re using doesn’t matter here. It’s just that the attacker gains access to that workstation, and that workstation once they’re on it, they can dump the SAM which has those cache credentials stored on that victim’s computer. Now, once the attacker has dumped that SAM, they can use tools to get those hash credentials and reveal what they are.
Having those hash credentials, the attacker can then use that hash on another computer by being able to log in as that user or on that same computer. If that computer happens to be part of a domain, we can also use those hash credentials that are recognized by Kerberos on other servers within that domain. And so this is the danger here when we start dealing with pass the hash. Now, pass the hash can be used for lots of different things but one of the most common things it’s used for is to elevate privileges. This is done because a lot of times on those local workstations, the attackers able to gain local admin privileges. Because at some point, some admin had logged in locally to that workstation and those credentials are going to be stored inside the SAM that the attacker was able to dump and then gain the credentials from. Now to do this, they’re usually going to use some sort of a tool because it’s easier to use an automated tool to do this for you.
And as an attacker, one of the most common ones we’re going to use is Mimikatz. Mimikatz is an open source application that allows users to view and save authentication credentials in order perform pass the hash attacks and other types of attacks like that. Now the way Mimikatz works, is to scan the system memory for any cache passwords. All these passwords have been processed by the Local Security Authority Subsystem Service or lsass.exe. Now once they’ve been stored in this cache memory, Mimikatz can grab those and find those hashes and then pass those to log you into other services. Now Mimikatz has been incorporated into a lot of different penetration testing tools and other tools that attackers use. For example the Metaspoilt framework, as shown here on the screen. Notice with one simple command, use post/windows/gather/smart hashdump, we’re able to run this command and it will go through and it will run this module against a given target. In this case, it’s going against this Windows machine shown here. It’s going to go through and grab any other hashes it finds and dump those to the screen as well as into a file. And in this case, we find the administrators hash shown here on the screen.
Now using Mimikatz, we can use that hash and use that to log in as the administrator and perform further actions. Now in addition to using the smart hash dump feature inside of Metaspoilt, you can also use post/linux/gather/hashdump, post/pro/multi/gather/hashdump and many other Windows gathering tools that will focus on domain hashdumps, Microsoft server SQL hashdumps, Skype hashdumps, Avera hashdumps, McAfee hashdumps and many others. Now once you have those hashes, you’re then going to use some kind of a tool to test their usability or be able to pass them or even crack them using a password attack. This might involve using Metaspoilt modules like exploit/windows/smb/psexec and auxilary/scanner/smb/smb_login or using a password cracking tool like Hydra or Medusa. Remember, passing the hash does not work in all cases because there are defenses that are put in place by network defenders to try to prevent these attacks. For example, Windows Defender has a credential guard that will try to prevent against pass the hash attacks from being successful. If you find that Windows Defender is enabled on a target, you would then have to Windows Defender and turn that off first before being able to do a pass the hash attack. All right, now that we’ve seen how you can use some of the tools to conduct a pass the hash attack, let’s put on our blue team hat for a second and see how we can prevent these from being successful.
Let me give you a quick warning here for the real world. In the real world, you want to make sure that you’re only using your domain administrative of accounts to log into domain controllers. This will prevent pass the hash from exploiting your domain because if you use your domain administrative accounts, and use them on a regular workstation, and that workstation is compromised at some point, they can grab your credentials from that workstation and use it across the entire domain. For this reason, again domain administrative accounts should only be used to log on to your domain controllers. Now you may be wondering, this sounds really bad Jason, but how can I mitigate and defend against a pass the has attack as a network defender? Well, there’s a couple of things you can do. First. It’s important to remember that detecting these types of attacks is extremely difficult because the attacker activity cannot easily be differentiated from legitimate authentication. Because these stolen credentials are allowing the attackers to use standard authentication mechanisms with valid credentials to log in. This creates audit logs that appear to be legitimate user activity.
And so is something that is very hard to detect in real time and instead is easier to find after the fact when you’re trying to put together your timeline of a breach that’s already occurred. The second thing is that most antivirus and antimalware software are going to help you mitigate this by blocking any tools that allow past the hash attacks. Things like Mimikatz or the Metaspoilt framework, those will all get blocked by most antivirus and antimalware softwares. Now, even though this is true, some attackers will try to still use these tools and they’ll try to evade signature detection by doing binary packing and other techniques. But again these antivirus and anti malware tools should be able to detect most of those tools and try to prevent them from being used on your systems. The third thing to keep in mind is you want to restrict and protect high privileged domain accounts.
As I said, your domain accounts should only be logging onto your domain controllers or specific workstations. By limiting the number of workstations you’re logging onto with those domain accounts, you could protect those credentials and make sure they’re not used in one of these types of attacks. The fourth thing is to restrict and protect local accounts that have administrative privileges. Again, by reducing the number of accounts that administrator privileges, you can end up minimizing the attack of a pass to hash attack. And our fifth thing we want think about is to restrict inbound traffic using Windows Firewalls on all of our workstations except for specific ones for the helpdesk, security scanners and other servers in your domain. By restricting inbound traffic going towards your workstations from the outside, you can cut off a lot of these attacks before an attacker can get into your system.
156. Golden Ticket (OBJ 3.7)
Golden Ticket. Now, a pass the hash attack will work on local workstations, but, if you’re going to be using something on a domain environment you’re really going to need to attack a Kerberos ticket because this is what’s used in an Active Directory environment. The pass the hash attack can work on multiple workstations across the domain if those systems have all been logged into by the same user, but if they haven’t then you’re going to need to work on a golden ticket instead. Now, what is a golden ticket? Well, if you’ve ever read the book “Charlie and the Chocolate Factory” or seen the movie, you’ve probably heard of a golden ticket. Essentially, this was the winning ticket that got you unlock privileges to anything you wanted inside their factory. It was a universal skeleton key essentially and essentially in our networks that’s what a golden ticket is. When I talk about a golden ticket, a golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment.
And so it can create keys that allow you to get access to anything you want. Golden tickets can grant administrative access to other domain members and domain controllers within the network. And so they are really, really powerful. Before we talk about exactly how a golden ticket attack works, I think it’s important for us to revisit a key concept about how Kerberos works. Now, this is going to be a very quick review because this is something you should have already learned back in Security+, but I want to provide a quick refresher so you can better understand how this attack works. First, we have something known as a krbtgt hash, which is essentially a Kerberos ticket-granting ticket hash is what it stands for. Now, this is the trust anchor of active directory domains and these function like a private key of a root certificate authority. And they’re used to generate ticket-granting tickets that are used by users across the network to access services within Kerberos. Now under Kerberos, a client is generally going to be a user or a service and they’re going to send a request for a ticket to the KDC, the Key Distribution Center. The KDC will then create this ticket-granting ticket or TGT for the client. It’s going to encrypt it using the client’s password as the key and then send the encrypted ticket back to the client. The client will then attempt to decrypt the TGT or the ticket-granting ticket using the client’s password. If the client successfully is able to decrypt the ticket-granting ticket, this means the client gave the right password and the ticket-granting ticket will be decrypted which indicates proof of the client’s identity.
Now, the ticket-granting ticket will expire after a certain time, and this will allow the user to be able to obtain additional tickets whenever they need them and get permission for specific services. The requesting and granting of these additional tickets is considered user transparent and happens all the way in the background in these windows environment. Now, as I said the Kerberos ticket-granting ticket hash is the trust anchor to this whole thing on the server as it is generating the ticket-granting tickets. So if an attacker could compromise that this whole system could be used to create their own tickets and gain authorization to anything they want. And that’s exactly how a golden ticket attack works. They go after this Kerberos ticket-granting ticket hash. So let’s see how that works. First, how does a golden ticket attack work? The first thing is the attacker is going to try to access the NTDS.DIT file. This allows the attacker to gain access to this file that contains the active directory data store. And inside of that is the Kerberos ticket-granting ticket hash and all of the hashes for the administrative accounts. Now that the attacker has this NTDS.DITs file, they can dump it and identify the Kerberos ticket-granting ticket hash, and those administrative hashes. Once they’ve done that, they can move on to the fun part. And as an attacker, this is going to be really good for them but really bad for our defenders. As defenders, we may identify that a breaches occurred and we go forward and make everybody with an active directory account reset their passwords. But, if we don’t reset the Kerberos ticket-granting ticket hash, then the attacker will still have access and often responders will forget to do this and this allows attackers to stay in these systems for a really long period of time.
So our attacker who still has a valid Kerberos ticket-granting ticket hash can use an exploit module to create golden ticket for a user in the administrative group. Now that they have that golden ticket created with the Kerberos ticket-granting ticket hash they are now ready to do whatever else they want to do on that system because the attacker can use that golden ticket to assume an administrative identity. So they can now do follow on exploitation and do whatever they need to do on that system or even across the domain because those tickets work with Kerberos which works across the domain. Now, for example, they might go ahead and compromise your domain controller. They could log in using that golden ticket and perform PowerShell or command line actions on that server or whatever bad action they want using that administrative level control.
And this is why golden ticket are just so dangerous. So, when you think about golden tickets I want you to remember that golden tickets allow attackers to laterally move across the entire domain with ease. It is basically a skeleton key that can open any door they want on your network. So, it’s really important that administrators make sure that they reset the Kerberos ticket-granting ticket account password regularly.
This will make sure that if you have been compromised you can clear out the ability of an attacker to create new golden tickets. Also, if you need to change the Kerberos ticket-granting ticket account password, you need to reset that password twice in a short period of time to invalidate the golden ticket if a breach is suspected. Essentially, you’re going to change the password, reboot the computer, change the password again, reboot the computer. By doing that, you are revoking all the existing golden tickets and making sure the new ones are being issued with the new password and that removes any ability of the attacker to use it inside your system anymore.
