Here, I demonstrate the use of the Metasploit module psexec, and the use of Incognito for Token Impersonation and and launching a shell onto the target machine while in a meterpreter shell. I also load Kiwi, and I demonstrate the use of Metasploit's exploit suggester to suggest other possible exploits while in a meterpreter session. The use of CrackMapExec to pwn machines present on the network will also be demonstrated in this project, along with the use of NTLM Relay to capture hashes of all of the users on the network. There were issues encountered along the way that were solved through PowerShell commands and extra configurations on the machines. This project uses the Windows 11 Pro and Windows Server 2022 configuration and set up from the brief tutorial I provided in the LLMNR/NTB-NS Poisoning in Active Directory Home Lab project. The Virtual Machine that I added for the new user(Peter) in this project is a Windows 11 Pro virtual machine I used in the Active Directory Home Lab Setup w/PowerShell Script(System Administration) project, which is why I included the disjoining process.
- Use Crackmapexec to pwn all machines on the network .
- Demonstrate the use of Metasploit's psexec module to launch a successful meterpreter shell.
- Use Incognito for token impersonation and to launch a shell on the target machine.
- Joining new virtual machine to the Domain and a new user w/ administrative privileges.
- Retrieve the hashes from all accounts on the network using NTLM Relay.
- Windows 11 ISO(https://www.microsoft.com/en-us/software-download/windows11)
- Windows Server 2022 ISO(https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2022)
- VMWare(https://www.vmware.com/products/desktop-hypervisor/workstation-and-fusion)
- LLMNR/NTB-NS Poisoning in Active Directory Home Lab
- Active Directory Home Lab Setup w/PowerShell Script(System Administration)
- Kali Linux
- Metasploit
- Impacket/ntlmrelayx.py
- CrackMapExec
- PowerShell
- Active Directory
- I logged into the Windows 11 Virtual Machine.
- Create a “Scans” folder in the C: drive.
- Some users will have a “Scans” type of folder on their computer, either a user is accessing it or the owner’s own account is accessing it.
- Now, I share that folder out so that it will have SMB access and be accessed by anyone who needs access to the folder.
- Right-click the “Scans” folder, then select “Properties”.
- Next, click the “Sharing” tab at the top and click “Share…”
- Benny is the owner of the Scans folder, as the folder was created on his profile.
- Click “Share”, I was prompted to enter an elevated account’s username and password to complete the share.
- After the share, this is the pop-up I received, letting me know that it’s finished.
- Open the Command Prompt as administrator, enter the administrator’s credentials, and click “Yes”
- I type
net localgroup Administrators “bfranks” /add- This adds Benny’s account to the local Administrators group for his PC, giving Benny full administrative access.
- Benny has successfully been added to the Administrators group. This can also be verified by: right-clicking the Windows icon on the taskbar > computer management > Computer Management(Local) > System Tools > Local Users and Groups > Groups
- Double click “Administrators”, and this will also reveal the list of Administrators
- Now I have Benny as a local administrator, and a “Scan” share that can be accessed via SMB.
- At this point I restart the Windows 11 Virtual Machine, and log back in as Administrator.
- Once logged in, in the search bar I type: Windows Security. Then click open.
- Click on “Virus & threat protection”.
- Click “Manage Settings”.
- Then turn off ‘Real-time protection”.
- I’m turning off Windows Virus threat & protection so that I can run exploits on this machine without complications from Windows. This is for project purposes only.
- I also disabled all firewall protection for this machine.
The Idea is that, if I am able to access a shared folder as an Administrator or an account that has execute privileges, I can upload malware and gain a reverse shell.
- Get the IP address from Benny’s Windows 11 Virtual Machine.
- I switch to the Kali Linux Virtual Machine, and start Metasploit.
- I typed
use exploit/windows/smb/psexec- Chose the
/windows/smb/psexecexploit
- Chose the
- Next, I open a new tab in the Kali terminal and install CrackMapExec.
- I had to run
apt updateto update the Kali package list soapt installcan find and download what’s needed. - Then I ran
apt install crackmapexecand typed “Y” to continue with the installation.
- After installation, I run
apt list —installed crackmapexecto confirm successful installation.
- The problem I was having was that CrackMapExec is not picking up the Windows 11 VM, nor am I able to ping it from the Kali machine. I made sure that I turned off virus and threat protection on the Windows 11 VM and CrackMapExec still couldn’t find it.
- My next step is to enable the NetFirewallRule in PowerShell on the Windows 11 machine to allow ping for discoverability, and SMB for CrackMapExec using
Enable-NetFirewallRule -DisplayGroup "File and Printer Sharing".
- I can ping the Windows 11 VM, and CrackMapExec pawned the Windows 11 VM also
- /24: Used to scan the entire network instead of only one IP Address for one machine
- -u: Username of the account
- -p: Password for the account
- -d: Domain that the accounts are connected to
If you want to disable NetFirewallRule:
Disable-NetFirewallRule -DisplayGroup “File and Printer Sharing”
- When in an environment where I have retrieved credentials for an account, I can take the creds and pass them around to see where I have access to from an SMB perspective. Every place where it says that I have a login, I can try and get a psexec shell set up and use that to access the computer.
- I go back to the Metasploit terminal with psexec. I type
optionsto see what parameters need to be set for this exploit to work properly.
- I’ve set the RHOSTS(Target Host), SMBdomain(Domain Name), SMBPassword(User Password), and SMBUser(User Account name).
- I type
show targets, to reveal the target options. - For this project, I chose the PowerShell option for the target.
- I type
optionsto see that all the parameters that I need filled are filled, and filled correctly.
- After verifying the credentials, I type
run, and click enter. After many tries, I finally got my meterpreter session up and running. - I use the
sysinfocommand to find information about the Windows 11 VM that I am accessing, and found out that I have an x86 Meterpreter Session and x64 architecture.
Also, the
getuidcommand is used to see what user I currently am on the Windows 11 system that I am accessing. I was SYSTEM for this session, not bfranks, even though I used his credentials to establish this shell.
- Now I background this Meterpreter Session by typing
background, in the meterpreter session. The session number for this meterpreter session is 20.
- The payload I’m using is
windows/meterpreter/reverse_tcp, which is an x86 payload. The goal is to find a x64 payload to use, and have access to x64 privileges on the Windows 11 VM. - I am backgrounding this Meterpreter session to see if I can find a x64 payload. I type
set payload windows/meterpreter/, then double-tap the tab button to reveal the payloads available for windows/meterpreter.
There are no available x64 payloads.
- At this point, my meterpreter shell died and I had to establish a new one. I also backgrounded this shell for continuity, and now I am going back into that session.
- Once I’m back into the session, I load a tool called “incognito” by typing
load incognito, then typinghelpto see the options I have.
- I then typed
list_tokens -u, to see the list of account tokens that I can use to delegate with elevated privileges. - I chose “JAWUN\bfranks”, as I know this is an account with elevated privileges.
- I use JAWUN\bfranks Delegation Tokens by typing
impersonate_token JAWUN\bfranks.
- Next, I created a shell using the
shellcommand.
- I verified that I was the user bfranks by using the “whoami” command and that I had administrator privileges by viewing the Administrators group.
- I clicked ^C to cancel the shell, and typed
loadthen double tapped tab to view more extentions for the meterpreter session.
Kiwi is another extension I chose to use in this demonstration.
- I type
load kiwito use the kiwi extension.
- There is a difference in architecture with the Windows Machine I’m connected to via the meterpreter being a x64 and Kiwi being an x86, so some features may not work.
Here, I tried to use Kiwi to dump credentials on the system, but nothing happened because of the x64 and x86 architecture mismatch.
The Metasploit Exploit Suggester is a post-exploitation module that automatically identifies potential local vulnerabilities and suggests relevant Metasploit exploits applicable to a compromised system's platform and architecture without actually running them.
- After canceling Kiwi, I background the meterpreter session and type
use post/multi/recon/local_exploit_suggesterto suggest exploits to use based on the current meterpreter session. - Using the
optionscommand, see that sessions is the only parameter that is needed. I typedset session 5, then typerun, and there is a list of suggested exploits to use for another session.
Process migration in the Meterpreter is the stealthy, in-memory technique of injecting its code from an initial, potentially unstable process into a more stable or privileged running process on a compromised system to maintain access and avoid detection.
- With the Meterpreter session still open, I used the
pscommand to list all of the running processes on the Windows 11 VM. - I chose svchost.exe, becasue of the x64 architecture, and high privileges.
- After migrating to 1100, I viewed the sysinfo again, tried to use hashdump, but it failed; also failed for other processes I chose.
- Go to settings type: Access work or school.
- Click the dropdown of the domain and click “Disconnect”.
- Now I am prompted to enter a local administrator account for this PC or create one. For this project I chose to create one.
- I go to the Accounts tab and click “Other Users”.
- Then click “Add Account” to add another user.
- Click the option “I don’t have this person’s sign-in information”.
- Next, I click “Add user without a Microsoft Account”.
- Now create a name, and password for the user.
- Peter’s account is now located in the Accounts section.
- Make sure to add Peter to the local Administrators group for his machine.
- Go back to Access work or school, and disconnect with the account just created.
- After disjoining, I am prompted to restart the PC.
- I log back in as Peter.
- After logging in, I right click the Windows icon, and clicked “Computer Management”. Here, I can verify that I am in fact logged in as Peter.
- Go to Windows Server 2022, click Win+R to open the run console and type
gpmc.msc.
- Now right-click on “Default Domain Policy” and select edit.
- Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
- Scroll until you find “Microsoft network client: Digitally sign communications(always)” and “Microsoft network client: Digitally sign communications(if server agrees)”.
- Double-tap one of them, select the “Define this policy setting” box and select “Disabled”, then “Apply”.
- Do this for both of the rules, now they are both disabled.
- Now I reboot both the server, and the Win11 machines.
- Next, I connect the Win11 machine to the Windows Server 2022.
- Navigate to “View network status and tasks”.
- Then I click “Change Adapter Settings”.
- Right-click on Ethernet0 and click “Properties”.
- Double-click “Internet Protocol Version 4” and enter the IP Address for the Preferred DNS server, I used 1.1.1.1 as an alternate DNS server, then click OK.
- Now I go to the Server manager on the Windows Server 2022 machine to add an account for Peter.
- In the Server Manager > tools > Active Directory Users and Computers.
- Click the “Users” folder.
- I right-clicked on a User I previously made (Benny L. Franks), and copied his profile policies upon creation of Peter’s account/
- Click “Copy”.
- Enter the information for Peter’s new account then click Next >.
- Now I have the user Peter’s account ready.
- Go back to Peter’s Windows 11 Machine, go to “Access school or work”, and join the domain using Peter’s account info in the process.
- Click “Join this device to a local Active Directory domain”.
- Enter the name of the domain.
- Enter the username and password of the newly created account.
- I keep Peter as a Standard User, and click Next.
- After adding the account, I am prompted to restart the Windows VM.
- I log back in as the Administrator.
- Now I’m going to make Benny a local administrator for Peter’s computer.
I’m going to demonstrate an environment where they are allowing their users to have some administrative privileges on multiple machines.
- Right-click on the Windows Icon, and click “Computer Management”. System Tools > Local Users and Groups > Groups.
- Double-click “Administrators”.
- Click “Add..” to add a User to the local administrators group for this machine.
- Start typing the name of the user, click “Check Names” to get the user’s username, click Ok.
- Click “Apply”, then Ok.
- I also verified by checking
net localgroup Administratorsto see Benny’s username as a local administrator for this PC.
- Go to the C: drive on the file explorer, and create a new folder called “Scans”.
- Now right click on the Scans folder, and click “Properties”.
- Go to the “Sharing” tab, and click “Share…”.
- I typed the username for Benny(bfranks), and clicked “Add” to make the Scans folder available to him and give him Read/Write privileges.
- Click Share.
An NTLM relay attack is a man-in-the-middle technique where an attacker intercepts a victim's legitimate NTLM authentication, transparently forwards it to a target server to gain unauthorized access, and impersonate the victim without needing their password.
- I open a new tab to locate ntlmrelayx.py and cd into the folder.
- I create a file called target.txt using nano to specify Peter’s computer for the captured hashes to relay to.
- Log into Benny’s machine, and navigate to the C: drive in the File Explorer.
- I entered the IP Address of my Kali Machine, then clicked enter. There will be a pop up that says that Windows can’t find the IP Address I entered.
- The results from running ntlmrelayx.py.
- I only received a hash for bfranks, but none from any other accounts. I then cancelled ntlmrelayx.py with ^C.
- I go to Peter’s machine, open PowerShell as Administrator and disable SMB Sign-in for this project and verify that it is disabled
- Went back to Kali machine to restart ntlmrelayx.py with target.txt, and -smb2support
- I then entered the Kali machine’s IP Address in Benny’s file manager again, and click the enter button.
- I received the hashes from all of the Users.
For educational and research purposes only.
Do NOT use any code or technique in this repository against systems you do not own or have explicit written permission to test.
Unauthorized use is illegal and may result in criminal charges.
The author(s) are not liable for any misuse or damage caused by this project.