How to run powershell script on target computing due double hopping issues?

Question

How to run powershell script on target computing due double hopping issues?

Asad A 20

I'm using powershell PS-Session to connect from kali (debian) to target system which is server A, on the server A, there is module called PowerSploit installed, and I want to run Get-DomainSID, I'm able to get the SID when I run the command locally, the scripts talks to DC which is server B (domain controller) using ldap filter.

To overcome double-hoping issues I have tested following setups, but fails to provide me desired results.

Case#1

$cred = Get-Credential hacklab.local\administrator [192.168.0.102]: PS C:\Users\administrator\Documents> Invoke-Command -ComputerName attacker-win10 -Credential $cred -ScriptBlock { Invoke-Command -ComputerName hacklab-dc -Credential $Using:cred -ScriptBlock {hostname}}               HACKLAB-DC[192.168.0.102]: PS C:\Users\administrator\Documents> Invoke-Command -ComputerName attacker-win10 -Credential $cred -ScriptBlock { Invoke-Command -ComputerName hacklab-dc -Credential $Using:cred -ScriptBlock {Get-DomainSID}} The term 'Get-DomainSID' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. + CategoryInfo          : ObjectNotFound: (Get-DomainSID:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException + PSComputerName        : attacker-win10

Case#2

[192.168.0.102]: PS C:\Users\administrator\Documents> Invoke-Command -ComputerName hacklab-dc -ScriptBlock { Register-PSSessionConfiguration -Name Demo -RunAsCredential 'hacklab.local\administrator' -Force }
[hacklab-dc] Connecting to remote server hacklab-dc failed with the following error message : A specified logon session does not exist. It may already have been terminated. For more information, see the about_Remote_Troubleshooting 
Help topic.
    + CategoryInfo          : OpenError: (hacklab-dc:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : 1312,PSSessionStateBroken

on case#2 I get the credentials prompt where I enter the password and it works as expected in both the above cases the commands are failing over PS-SESSION.

remote

──(asad㉿Yah-Aleemo)-[/home/asad]
└─PS> Invoke-Command -Session $offsecsession -ScriptBlock &{Invoke-Command -ComputerName hacklab-dc -Credential hacklab.local\administrator -ScriptBlock &{Get-DomainSID} }                                                                   

Id     Name            PSJobTypeName   State         HasMoreData     Location             Command
--     ----            -------------   -----         -----------     --------             -------
14     Job14           BackgroundJob   Running       True            localhost            Microsoft.PowerShell.Man…
Invoke-Command -ComputerName hacklab-dc -Credential hacklab.local\administrator -ScriptBlock &{Get-DomainSID}

PS> Invoke-Command -Session $offsecsession -ScriptBlock {Receive-job 14}
Receive-Job: The command cannot find a job with the job ID 14. Verify the value of the Id parameter and then try the command again.

2 answers

Your answer

Answer 1

Rich Matheisen 47,901

Get-DomainSID is a function in the module PowerView. Have you installed that module on your target machine (hacklab-dc)?

Asad A 20 Reputation points

2023-05-01T00:31:36.36+00:00

Now, I have installed on server A, I want to run the cmdlet /script from server A
Asad A 20 Reputation points

2023-05-01T00:32:47.03+00:00

No I have installed it on server A I want to run Get-DomainSID from the server A.
Rich Matheisen 47,901 Reputation points

2023-05-01T02:51:19.28+00:00

Your local machine may be named "serverA", but your script blocks run on attacker-win10 and hackerlab-dc.

The only place that Get-DomainSid is used is in the scriptblock that's going to run on the machine hackerlab-dc.
Asad A 20 Reputation points

2023-05-01T08:55:24.2866667+00:00

I have modified the command line please check the original question (at the end). When I do Receive-Job: on both dc and server 2 I'm unable to locate the results

Asad A 20

This is out of get-job

Id     Name            PSJobTypeName   State         HasMoreData     Location             Command
--     ----            -------------   -----         -----------     --------             -------
1      Job1            BackgroundJob   Failed        False           localhost            Microsoft.PowerShell.Man…
4      Job4            BackgroundJob   Failed        False           localhost            Microsoft.PowerShell.Man…

Answer 2

Limitless Technology 44,746

Hi,

I'd be happy to help you out with your question. Sorry for the inconvenience caused.

In your first attempt, you tried to use nested Invoke-Command calls to connect to the target computer and then execute the script. However, it looks like the script was not recognized, as it returned an error saying "The term 'Get-DomainSID' is not recognized as the name of a cmdlet, function, script file, or operable program." This may be because the PowerSploit module is not properly installed on the target computer or it is not in the module path.

In your second attempt, you tried to register a PSSessionConfiguration with the RunAsCredential parameter to use the administrator credentials for authentication. However, this resulted in an error saying "A specified logon session does not exist. It may already have been terminated." This may be because the administrator account does not have the necessary permissions to register a session configuration or there may be issues with the remote server.

I would recommend trying a different approach to resolve the double-hopping issue. One possible solution is to use the CredSSP (Credential Security Support Provider) authentication protocol. This allows you to forward your credentials from the first hop to the second hop, enabling you to authenticate to the target computer.

You can enable CredSSP authentication by running the following command on the first hop computer:

Enable-WSManCredSSP -Role Client -DelegateComputer target_computer_name

Then, on the target computer, you need to run the following command:

Enable-WSManCredSSP -Role Server

After enabling CredSSP authentication, you can use the following command to run the script on the target computer:

Invoke-Command -ComputerName target_computer_name -Authentication Credssp -Credential $cred -ScriptBlock {Get-DomainSID}

If you have any other questions or need assistance with anything, please don't hesitate to let me know. I'm here to help.

If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

Asad A 20

Thank you , I after connecting to first hop using PS-SESSION run this command

Enable-WSManCredSSP -Role Client -DelegateComputer target_computer_name

With above command in place of target_computer_name I typed the DC IP address (which is my second hop)

Then opening another PS-SESSION on target computer which is domain controller i run the second command as instructed by you.

Enable-WSManCredSSP -Role Server

Both these commands ran successful, now when I run the command from first-hop server


[192.168.0.102]: PS C:\Users\administrator\Documents> Invoke-Command -ComputerName 192.168.0.102 -Authentication credssp -Credential hacklab.local\administrator -ScriptBlock {Get-DomainSID}                                                                              

PowerShell Credential Request: Windows PowerShell credential request
Warning: A script or application on the remote computer 192.168.0.102 is requesting your credentials. Enter your credentials only if you trust the remote computer and the application or script that is        
requesting them.

Enter your credentials.
Password for user hacklab.local\administrator: **********

[192.168.0.100] Connecting to remote server 192.168.0.100 failed with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of the user 
credentials to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Delegating Fresh 
Credentials.  Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: 
WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (192.168.0.100:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : -2144108125,PSSessionStateBroken

I believe in need the GPO as well, is this something I can do it from command line as well. Thank you

Asad A 20 Reputation points

2023-05-05T15:33:22.8266667+00:00

I also did this but doesn't seem to work. I ran this command on DC

winrm set winrm/config/client '@{TrustedHosts="192.168.0.100"}'

Asad A 20

On the first hop i did following commands

Enable-WSManCredSSP -Role client -DelegateComputer *.mydomain.com

$allowed = @('WSMAN/*.mydomain.com')

$key = 'hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation'
if (!(Test-Path $key)) {
    md $key
}
New-ItemProperty -Path $key -Name AllowFreshCredentials -Value 1 -PropertyType Dword -Force            

$key = Join-Path $key 'AllowFreshCredentials'
if (!(Test-Path $key)) {
    md $key
}
$i = 1
$allowed |% {
    # Script does not take into account existing entries in this key
    New-ItemProperty -Path $key -Name $i -Value $_ -PropertyType String -Force
    $i++
}

Share via

How to run powershell script on target computing due double hopping issues?

2 answers

Your answer