search
TwitterBlog

Lateral Movement

hashtag
Introduction

In this section, you will find some techniques in order to perform lateral movements on Active Directory infrastructuree.

hashtag
Pass The Ticket (PTT)

In the Pass the Ticket technique, an attacker obtains a valid Kerberos ticket-granting ticket (TGT) by stealing it from a user or extracting it from a computer's memory. The attacker can then use this TGT to request additional service tickets without the need for any further authentication.

You can perform this technique with Rubeus.

.\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:<DOMAIN> /username:<USERNAME> /password:FakePass123 /ticket:<TICKET>

Depending on the obtained TGS you, will only be able to perform specific tasks.

hashtag
Tickets - Techniques

Service Type
Required Tickets

Windows File Share (PsExec)

CIFS

LDAP Operations (DSync)

LDAP

WinRM

HOST HTTP WINRM

WMI

HOST RPCSS

Powershell Remoting

HOST HTTP Depending on OS: WSMAN RPCSS

Schedule Taks

Host

Windows Remote Server Administration Tools

RPCSS LDAP CIFS

Golden Tickets

krbtgt

hashtag
Overpass The Hash (OTH)

This technique allows a user to request a Kerberos TGT using its NTLM or AES/RC4 hash.

  • Alternative 1 - Without HIGH privileges

  • Alterntative 2 - Requires HIGH privileges

Then, you can use PsExec to access the machine, if the user has administrator privileges.

ℹ️The -s argument is to upgrade to "nt authority\system", but it will only work if you are going to connect as a highly privileged user.

hashtag
S4U2Self Abuse (Constrained Delegation)

The exploitation is seen on the Kerberos exploitation phase.

hashtag
Alternate Service Name (Constrained Delegation)

The exploitation is seen on the Kerberos exploitation phase.

hashtag
References

Last updated