Hackers Rest
  • Hacker's Rest
  • Tools & Cheatsheets
    • Cybersecurity YouTube Channels
  • Hacking Methodology
  • Hands-on Practice
  • Linux
    • Linux Basics
    • Hardening & Setup
      • TMUX/Screen Cheatsheet
    • Red Team Notes
      • Enumeration
      • Getting Access
      • Privilege Escalation
      • Pivoting/Lateral Movement
      • Data Exfiltration
      • Persistence
    • Vim
  • Windows
    • Windows Basics
    • PowerShell
    • Hardening & Setup
    • Red Team Notes
      • Enumeration
      • Getting Access
      • Privilege Escalation
      • Pivoting/Lateral Movement
      • Persistence
      • Data Exfiltration
      • Active Directory
        • Enumeration
        • Getting Access
        • Privilege Escalation
        • Persistence
      • Kerberos
      • Impacket
  • MacOS
    • MacOS Basics
    • Hardening & Configuration
    • Red Team Notes
      • Enumeration
      • Getting Access
      • Privilege Escalation
      • Persistence
  • Web
    • Burp Suite
    • DNS
    • Web Notes
      • Enumeration
      • Web Filter Bypass
      • Command Injection
      • Subdomain/Virtual Host Enumeration
      • The Web Application Hacker's Handbook
  • Mobile
    • iOS
    • Android
  • OS Agnostic
    • Basic Enumeration
    • Cryptography & Encryption
    • Network Hardware
    • OS Agnostic
    • OSINT
    • Password Cracking
      • Gathering the Hashes
      • Wordlist Manipulation
      • Cracking the Hashes
    • Pivoting
      • Chisel
      • Plink.exe
      • SSH
      • Sshuttle
      • Socat
    • Reverse Engineering & Binary Exploitation
      • Buffer Overflow
    • Scripting
      • Script Language Syntax
    • SQL
    • SSH & SCP
    • Steganography
    • Wireless
  • Unsorted
Powered by GitBook
On this page
  • Lateral Movement
  • PowerShell Remoting
  • Remote Code Execution with PS Credentials
  • Import a PowerShell module and execute its functions remotely
  • Executing Remote Stateful commands
  • Useful Tools

Was this helpful?

Edit on Git
  1. Windows
  2. Red Team Notes
  3. Active Directory

Getting Access

Hack Responsibly.

Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.

Lateral Movement

PowerShell Remoting

#Enable Powershell Remoting on current Machine (Needs Admin Access)
Enable-PSRemoting

#Entering or Starting a new PSSession (Needs Admin Access)
$sess = New-PSSession -ComputerName $ComputerName>
Enter-PSSession -ComputerName $ComputerName 
#-OR-
Enter-PSSession -Sessions $SessionName

Remote Code Execution with PS Credentials

$SecPassword = ConvertTo-SecureString '$Password' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('$DomainName\$User', $SecPassword)
Invoke-Command -ComputerName $ComputerName -Credential $Cred -ScriptBlock {whoami /all}

Import a PowerShell module and execute its functions remotely

#Execute the command and start a session
Invoke-Command -Credential $cred -ComputerName $ComputerName -FilePath $PSModule_FilePath -Session $sess 

#Interact with the session
Enter-PSSession -Session $sess

Executing Remote Stateful commands

#Create a new session
$sess = New-PSSession -ComputerName $ComputerName

#Execute command on the session
Invoke-Command -Session $sess -ScriptBlock {$ps = Get-Process}

#Check the result of the command to confirm we have an interactive session
Invoke-Command -Session $sess -ScriptBlock {$ps}

Useful Tools

PreviousEnumerationNextPrivilege Escalation

Last updated 2 years ago

Was this helpful?

netcat written in powershell, and provides tunneling, relay and portforward capabilities.

fileless lateral movement tool that relies on ChangeServiceConfigA to run command

the ultimate WinRM shell for hacking/pentesting

Csharp and open version of windows builtin runas.exe

Powercat
SCShell
Evil-Winrm
RunasCs