I'm a newbie (a couple of years studying) so forgive my inexperience.
I've setup a network environment at home with 2 Windows 10 machines (default Fairwall configuration), version 1809, and one Kali Linux box from which conducting the attacks.
The network is a home network where the Windows 10 machines are non domain-joined (workgroups), my objective is to own the 2 Windows machines from inside the LAN, knowing only the credential of local users (non-RID-500). The RID-500 administrator is disabled by default on the machines.
My objective is to own the boxes through a Meterpreter session (not persistance, just get a shell).
I was thinking this is a good initial scenario to start with, but I am deeply stuck. This because I want to simulate a stealthy attack taking advantage of the fact of being inside the network, therefore excluding pishing (ie payloads sent by email) and physical access.
I am stuck primarly because remote access is impossible for the following reasons:
- Pass-the-hash is not possible with local accounts in non-domain-joined machines, see:https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/.
- The above because of the "Enablelua" setting in the Windows registry, basically preventing me to perform all those remote code execution attacks: https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P3-Exploitation.html#remote-code-execution-methods
- The RID-500 administrator is disabled by default.
- Remote Desktop (RDP) is disabled by default.
- Powershell Remoting is disabled by default.
- Remote WMI is disabled by default.
- Ports 135, 139 and 445 are opened, but services are not vulnerable (Windows 10 recent build, patched).
Abandoning the remote access route, I looked into ARP poisoning and MITM attacks, but my objective is to get a Meterpreter session, not to sniff or intercept data.
I finally used Beef (https://tools.kali.org/exploitation-tools/beef-xss) and was able to inject the hook on some HTTP traffic, but the Windows machines use an updated Chrome, and no modules in Beef seem to give me a shell.
Is this a situation where the only options left are physical access (ie USB Rubber Ducky) or email pishing (file download & execution), or am I missing something basic here?
Thanks to those who will contribute to the discussion!