Windows Post-exploitation refers to the attacker’s actions after the target machine, or its network is compromised. In such a phase, the attacker will try to extend and elevate their access to the target through receiving persistence.
This article will demonstrate how to execute Windows post-exploitation in a Windows environment. To obtain a better understanding, previous articles should be read before the post-exploitation. The relevant links are provided.
Hiding a user
When cyber attackers manage to exploit the target OS, they need to keep a user for persistence. That will enable them to connect to the targeted machine without repeating the process all over again. The attackers can hide their tracks created by a dollar sign ($1). The attacker may cover their tracks by deleting these logs manually.
Although the user may be hidden from listing tools, the hidden user creation can leave tracks in event viewer logs. It will still appear on the operating system’s login screen. The logs generated due to the user’s creation must be manually deleted to ensure the user remains hidden on the system. The attacker’s anonymity can also be compromised if the unknown user is detected.
Net Users is a Windows command that lists or manipulates all user accounts. Windows supports special accounts that can be hidden from view.
Since users can list all the users in the system, a suspicious user account may lead to the attacker’s detection. By appending a dollar sign ($) towards the end of the user’s name, the user can be hidden with the command:
wmic useraccount where name=[username] call rename name=[username]$.
The Registry in the Windows OS is the database that stores all the settings for the operation.
The Registry will contain all the SAM (Security Account Manager) details for general settings like wallpaper. An attacker can perform different actions via the Registry, like disabling the defender or hiding malicious users.
The Registry includes information, configurations, and other values for Windows programs.
After setting the hidden user using the dollar sign ($), the account is still visible on the login screen. The user account can be hidden. Create a new subkey called “SpecialAccounts” from the login screen in the Registry.
User credentials are kept locally in a hashed file in a Windows environment. The attacker has obtained the user’s login information. If the attacker discovers the credentials, they will be able to launch a range of attacks.
In Windows 7, credentials are kept in plain text rather than hashed, like in Windows 8/8.1/10.
SAM (Security Account Manager) is a database storage file that stores user credentials to authenticate local and remote users in a Windows environment.
NTDS.dit is a database file associated with NT Directory Services. Active Directory uses the ntds.dit database to authenticate users in a domain environment.
LSASS (Local Security Subsystem Service) is a process that authenticates Windows users. The process writes to the Windows Security logs and enforces the security regulations of the operating system.
LSASS and SAM
Windows authentication occurs via encrypted NTLM transitions. LSASS looks up users with hashed names and passwords in SAM.
Following authentication, the user’s privileges are reduced, and the user is logged into the system. The system records the authentication procedure as well as login information, including credentials.
After breaking into a system, attackers can crack weak password hashes or use them to pass hash attacks.
What is Mimikatz?
Mimikatz is a popular post-exploitation tool that can dump passwords from memory and user credentials that are stored as hashes and Kerberos tickets. Mimikatz makes post-exploitation lateral movement within a network easier for attackers. Cybercriminals typically use Mimikatz to steal credentials and escalate privileges.
Reading the Memory: By using the TOKEN::Elevate module in Mimikatz, it is possible to elevate privileges to NT-Authority and access and read the memory of LSASS, which runs as a SYSTEM process.
Reading Dump Files: Mimikatz provides the ability to read and analyze LSASS’s memory dumps. It can also analyze data on a remote system.
Window Patching: Mimikatz event patching modules may help attackers cover their tracks and clear logs.
Windows stores passwords in an NTLM hash. Mimikatz enables cyber attackers to pass this hash to the target machine when logging in to the system.
This method does not require the attacker to crack the password since it is possible to use the hash string as it is.
In newer versions of Windows, passwords are stored in a ticket.
By using Mimikatz, it is possible to pass the ticket to the targeted machine and perform the tasks as another user.
This attack usually targets domain environments.
In this cyberattack, the attacker uses the user’s NTLM hash to request tickets from the Kerberos authentication protocol.
This method can be successfully implemented on networks where the NTLM protocol is disabled and Kerberos is the only active authentication protocol.
This cyberattack is similar to pass-the-ticket. However, it uses the encrypted login data of operating systems such as Mac, UNIX, and Linux.
How does Mimikatz work?
Mimikatz can be accessed from the command prompt. Since security measures can detect Mimikatz by default, the tool should be obfuscated. Users must run Mimikatz via the CMD as an administrator to access the memory.
This operation can leave tracks in event viewer logs.
The Privilege::Debug command allows the user to access debugging mode with local administrator privileges. Only local administrators can access the debug mode if the Debug program option in the GPO is not defined. Mimikatz must have access to debug mode to work properly since the tool interacts with processes such as LSASS.
The Token::Elevate command performs privilege escalation on a targeted system or uses the domain admin token by grabbing and impersonating a given token.
If the attacker activates the credentials successfully, data is exported to the host machine. The privilege::debug command is still used initially to gain debugging permissions on the computer.
The token::elevate command is still used to elevate permissions on the SYSTEM. Once the attacker gains all the privileges, the command sekurlsa::logonpasswords is still used to list the user and computer credentials.
Dumping SAM with Mimikatz
The lsadump::sam command enables the attacker to extract the SAM file. The file’s data can be read on any station but not always on the host machine.
It connects to the SAM database and dumps all the credentials of the local users. It requires NT-Authority privileges to dump the credentials.
Dumping LSASS with Mimikatz
Using Mimikatz, it is also possible to dump the LSASS process that stores all the password hashes and Kerberos keys.
The command sekurlsa::logonpasswords lsassDEV DMP is used to dump the LSASS process into a file that contains the user and computer credentials.
PsExec-Dumping the SAM file remotely
PsExec is a Sysinternals Suite application that allows users to run programs on remote computers. PsExec also enables executing commands under NT-Authority permissions.
It is executed using the command. PsExec64.exe -s cmd.exe to gain NT-Authority permissions. The SAM file can be extracted with NT-Authority permissions using these commands:
-reg save hklm\sam c:\sam.hiv
-reg save hklm\system c:\system.hiv
Extracting Mimikatz Output
Mimikatz can extract the data it collects using the log command.
The log command creates a text file that is sent back to the attacker for further analysis and password cracking. The attacker uses the log command to store output data from Mimikatz.
- DPAPI is still used in Chrome cookies and login data, Windows Credential Manager, and Wi-Fi authentication.
- DPAPI: Data Protection API (DPAPI) is a crypto-platform built into Windows and used to encrypt passwords and data blocks. Many platforms use DPAPI, including Google Chrome.
- Master Key: The user’s password is used to create a “master key” that serves as the primary key for decrypting a DPAPI block of data.
- The master keys are located at “C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<SID>\<GUID>.”
- Master Key Decryption: The master key can be decrypted using the user’s password or the domain backup key, which can also be used to decrypt DPAPI data blobs.
- Chrome: Google Chrome uses DPAPI to store cookies and login data. Cookies in Chrome are stored in an SQLite database.
Mimikatz can parse data stored in the Chrome database. The “Cookies” and “Login Data” files are located at the path shown in the image.
Since Mimikatz can parse the Chrome database, it is possible to export all the usernames and passwords it contains.
Using Mimikatz, it is possible to patch the Event Viewer and delete all the logs without leaving any traces.
The following commands are used to complete the task.
Event::drop-Patches Event Viewer to prevent log creation.
Event::clear-Clears all the logs from the event log.
It is essential to run the commands in the same order they appear above.
The utility may be recognized when attempting to utilize Mimikatz on an antivirus-protected computer.
Disabling the AV may be difficult, and the action may be suspicious. The LSASS dump might be retrieved manually and analyzed at a different station to avoid detection. Mimikatz can be executed without being detected by Windows Defender.
Via Task Manager
The LSASS process can be dumped using a legitimate Windows feature. The Get-Process command displays the process ID used in the file dumping process.
Use PowerShell to dump the LSASS process or any other file. The Get-Process command displays the process ID, which is used in the file dumping process.
Dump via ProcDump
When a network manager disables the option to access the “Temp” folder, and the Mimikatz is blocked, there is another method for dumping files.
ProcDump has the ability to dump a file to many destinations.
The command syntax is: procdump.exe -accepteula -ma lsass.exe [pathoexport+filename].
Loading a Dump
After acquiring a dump file from a secured station, the sekurlsa module can be used to load it into Mimikatz on another machine.
The command sekurlsa::minidump [filename] instructs file instead of the current LSASS process.
Mimikatz can also recover a user’s password if connected via a remote desktop.
Invoke-Mimikatz is a script that loads Mimikatz into the memory.
The script allows attackers to run Mimikatz and execute its commands remotely against multiple computers.
Certutil is a certificate management utility for Windows that allows users to install, back up, delete, and manage certificates.
The tool can be used to download applications and dump certificate-related information. Because Certutil is incorporated into Windows, security protections do not prevent it from downloading.
Password cracking services and dedicated tools can be used to crack weak passwords. Hashkiller is a hash cracking and lookup service that offers efficient and quick results to a huge database, immediate results to large datasets, and fast calculation times.
Hashcat is a popular password cracking program that can crack even the most complex passwords.
Hashvcat is widely regarded as the most powerful and sophisticated password-cracking tool available. The tool can harness CPU and GPU power to accelerate password cracking.
Password spraying compares a single or a short list of regularly used passwords against all users in the domain. In contrast, brute-force assaults aim to guess a given password using different combinations.
The attack can be performed with Hydra, an authentication brute-force tool.
The Hydra command for executing the attack is: hydra -L [Username_list] -P [Password] [Target_IP] [Protocol].
You can use the top VAPT tools to test various items from our articles. Check out this page, which will provide you with all the tools and links in one handy place.