Privileged Remote Access
To perform lateral movement, one of the first step is to determine what type of access the users we have control over can have on others remote hosts. A user could be allowed to execute commands on a remote host via:
SMB
RDP
PowerShell Remoting
MSSQL
Remote Desktop Protocol
In PowerView, this command can be used to enumerate which users and groups can access a host via RDP
In BloodHound, we can check within the Execution Rights section to enumerate access rights for a user or a group.
It is also possible to use pre-built query:
Find Workstations where Domain Users can RDP
Find Servers where Domain Users can RDP
WinRM
Users members of the Remote Management Users group can be granted with the right of executing commands remotely via PowerShell. Again, PowerView can be used to enumerates users or others groups members of this group.
In BloodHound, a cypher query can be used for enumeration:
Establishing a WinRM session - Windows
The commands below will start a remote PowerShell session:
Establishing a WinRM session - Linux
From Linux, a WinRM session can be established using the tool evil-winrm.
SQL Admin
We might want to look for users or group that have admin right over a SLQ server.
Bloodhound can be used to identify those having privileged rights over a SQL server:
Establishing a SQL session - Windows
PowerUpSQL is a tool that an adersary can used to abuse SQL server and perform further enumeration. This tool comes with an handy cheatsheet.
For example, we might want to enumerate all SQL servers in the domain we are in:
It is also possible to execute SQL query as well as operating system commands.
Establishing a SQL session - Linux
In Linux, we can use mssqlclient.py from the Impacket script to execute command remotely on a SQL server.
Authentication against a SQL server
To execute operating system commands via a SQL service, we need to enable the xp_cmdshell feature. Only some users are granted with this right. If our user we are login with has the ability to execute os commands, we might want to look for the privileges of that user.
Last updated