PTT: Double Hop Bypass
Last updated
Last updated
The double-hop problem occurs when, for example, a local PowerShell instance connected via PSRemoting to a remote server which is connected to the target server and an attempt to execute commands on the target server was made and was rejected. The end goal of this proof-of-concept is to execute a pass-the-ticket attack on an active directory while being remotely connected to a domain computer with administrator privileges.
Both machines IPs are listed in each other's trustedhosts
-skipnetworkprofilecheck
is enabled (to allow connection over a public network)
Proper firewall exceptions are in place in the remote machine
A domain user is a local administrator to the remote machine
Credentials to the said domain user are known
The logon action generates a ticket for the Domain Administrator
The TGT expires over a definite period of time (6 hours in this case)
Pass-the-Ticket could be done as long as the TGT hasn't expired yet
Enter a session for the domain user, BOSSMANBEN\GConcy then, enter the credentials for BOSSMANBEN\GConcy in the password prompt
Check for cached tickets using klist
. The current established session doesn't seem to be a recognized session:
Register the current session while inside the PSSession created:
Enter the credentials for BOSSMANBEN\GConcy in the password prompt
Run klist
again:
klist
can now check for cached tickets
Passing exported tickets using Invoke-Mimikatz
would throw the same error from the previous klist
if a proper session is not configured.
Even if an Administrator ticket was passed successfully, passing commands in or accessing the Domain Controller would be denied
The entire session should be restarted with the proper configuration.
Type Restart-Service WinRM
then enter a new PSSession with the registered configuration:
The shell will terminate after restarting the service.
Enter the credentials for BOSSMANBEN\GConcy in the password prompt
Run klist
again:
The session now actually runs as the user, BOSSMANBEN\GConcy
This session now eliminates the double hop problem:
Instead of the local machine sending a request to the remote machine before reaching the server, the local machine is now acting as or impersonating the remote machine running as the user BOSSMANBEN\GConcy.
Since the local machine (KALI-WINDOWS) now acts like the remote machine (MSEDGEWIN10), it would seem like the requests sent from the local machine are now going directly to the Domain Controller (BOSSMANBEN).
The two previous statement would be useful since the goal of this exploit is to reach the Domain Controller (BOSSMANBEN) using the local machine (KALI-WINDOWS) "without jumping" from the remote machine (MSEDGEWIN10)
Download the exploit to the local machine (KALI-WINDOWS):
Upload Invoke-Mimikatz.powershell to the remote machine (MSEDGEWIN10):
LOCAL MACHINE (KALI-WINDOWS):
PSSession (MSEDGEWIN10):
Use dot source to import Invoke-Mimikatz:
PSSession (MSEDGEWIN10):
-DisableRealtimeMonitoring $true
prevents the remote machine from detecting Invoke-Mimikatz.powershell as a malicious script
Export krbtgt tickets using Invoke-Mimikatz:
PSSession (MSEDGEWIN10):
A krbtgt ticket for the Domain (BOSSMANBEN.LOCAL) Administrator was exported:
View the exported tickets:
Pass the krbtgt ticket:
View the cached tickets using klist
:
The current ticket for the session is now Administrator @ BOSSMANBEN.LOCAL
which is a Domain Administrator
The current PSSession should now be able to impersonate the Domain Administrator
Check if the Domain Controller (BOSSMANBEN) now accessible then get the Primary Domain Controller for BOSSMANBEN:
List contents of the file share, C$
:
The file shares in the Domain Controller (BOSSMANBEN) are now accessible as long as the Domain Controller is being accessed using kerberos authentication.
Commands could also now be executed in the context of the Domain Controller (BOSSMANBEN) using the Invoke-Command
module in PowerShell.
HOSTNAME
MACHINE IP
OS
REMARKS
KALI-WINDOWS
192.168.150.1
Windows 10
An Attacker Machine
MSEDGEWIN10
192.168.150.128
Windows 10 Enterprise Evaluation
A Remote Machine; Domain Computer
WIN-BO2CT95INDP
192.168.150.133
Windows Server 2016
A Domain Controller
USER
MACHINE
PRIVILEGES
kali-windows
KALI-WINDOWS
Local Administrator
BOSSMANBEN\\GConcy
MSEDGEWIN10
Local Administrator; Domain User
BOSSMANBEN\\Administrator
MSEDGEWIN10
Domain Administrator