Ways of pwning a Workgroups (non domain-joined) network of patched Windows 10 machines (version 1809)?

Hi All,

I'm a newbie (a couple of years studying) so forgive my inexperience.

I've setup a network environment at home with 2 Windows 10 machines (default Fairwall configuration), version 1809, and one Kali Linux box from which conducting the attacks.

The network is a home network where the Windows 10 machines are non domain-joined (workgroups), my objective is to own the 2 Windows machines from inside the LAN, knowing only the credential of local users (non-RID-500). The RID-500 administrator is disabled by default on the machines.

My objective is to own the boxes through a Meterpreter session (not persistance, just get a shell).

I was thinking this is a good initial scenario to start with, but I am deeply stuck. This because I want to simulate a stealthy attack taking advantage of the fact of being inside the network, therefore excluding pishing (ie payloads sent by email) and physical access.

I am stuck primarly because remote access is impossible for the following reasons:

  1. Pass-the-hash is not possible with local accounts in non-domain-joined machines, see:https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/.
  2. The above because of the "Enablelua" setting in the Windows registry, basically preventing me to perform all those remote code execution attacks: https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P3-Exploitation.html#remote-code-execution-methods
  3. The RID-500 administrator is disabled by default.
  4. Remote Desktop (RDP) is disabled by default.
  5. Powershell Remoting is disabled by default.
  6. Remote WMI is disabled by default.
  7. Ports 135, 139 and 445 are opened, but services are not vulnerable (Windows 10 recent build, patched).

Abandoning the remote access route, I looked into ARP poisoning and MITM attacks, but my objective is to get a Meterpreter session, not to sniff or intercept data.

I finally used Beef (https://tools.kali.org/exploitation-tools/beef-xss) and was able to inject the hook on some HTTP traffic, but the Windows machines use an updated Chrome, and no modules in Beef seem to give me a shell.

Is this a situation where the only options left are physical access (ie USB Rubber Ducky) or email pishing (file download & execution), or am I missing something basic here?

Thanks to those who will contribute to the discussion!


Touch here for the full post on Network Security Noblemen tumblr