search

person-through-windowWindows Lateral Movement

hashtag
1. Pass the Hash (PtH) Attack

hashtag
Core Concept

  • Technique using password hash instead of plaintext password for authentication

  • No need to decrypt the hash

  • Exploits authentication protocol where hash remains static until password change

hashtag
Windows NTLM Authentication Key Points

  • Challenge-response authentication protocol

  • Still common despite known flaws (legacy compatibility)

  • No password salting = vulnerability to PtH attacks

hashtag
Requirements

  • Administrative privileges/specific privileges on target

  • Ways to obtain hashes:

    • Dumping local SAM database

    • Extracting from NTDS database (ntds.dit) on Domain Controller

    • Pulling from memory (lsass.exe)

hashtag
Attack Methods & Tools

hashtag
1. Mimikatz (Windows)

Required parameters:

  • /user - Target username

  • /rc4 or /NTLM - NTLM hash

  • /domain - Domain name (use computer name/localhost/. for local)

  • /run - Program to execute (default: cmd.exe)

hashtag
2. PowerShell Invoke-TheHash

hashtag
3. Impacket (Linux)

hashtag
4. CrackMapExec (Linux)

hashtag
5. Evil-WinRM (Linux)

hashtag
6. RDP Pass the Hash (Linux)

hashtag
Important PtH Considerations

  • UAC limits PtH for local accounts

  • LocalAccountTokenFilterPolicy affects remote admin capabilities:

    • 0 = only built-in admin (RID-500)

    • 1 = all local admins

  • Domain accounts with admin rights bypass these restrictions

hashtag
2. Windows Pass the Ticket (PtT) Attack

hashtag
Overview

  • Definition: A PtT attack leverages stolen Kerberos tickets (TGT or TGS) to move laterally in an Active Directory (AD) environment

  • Purpose: Exploits Kerberos authentication mechanisms without requiring NTLM password hashes or plaintext credentials

hashtag
Kerberos Protocol Fundamentals

hashtag
Key Concepts

  1. Ticket-Based Authentication:

    • Designed to minimize password sharing across services

    • Tickets authenticate users without transmitting passwords

  2. Kerberos Components:

    • TGT (Ticket Granting Ticket): Obtained after initial authentication; used to request service tickets (TGS)

    • TGS (Ticket Granting Service): Grants tickets for accessing specific services

hashtag
Ticket Harvesting Tools

hashtag
1. Mimikatz

hashtag
2. Rubeus

hashtag
Lateral Movement Techniques

hashtag
PowerShell Remoting

hashtag
3. Linux Pass the Ticket (PtT) Attack

hashtag
Key Linux Kerberos Attack Concepts

  • Leveraging Kerberos tickets on Linux machines integrated with Active Directory

  • Ticket storage in keytab or ccache files

  • Often located in /tmp directory or /etc/krb5.keytab

hashtag
Attack Methodology

hashtag
Ticket Discovery

hashtag
User Impersonation

hashtag
Additional Attack Techniques

hashtag
Post-Exploitation

  • Check sudo privileges with sudo -l

  • Use tools like Linikatz for credential extraction

  • Potential privilege escalation paths

hashtag
Mitigation Strategies

  • Implement strong password policies

  • Use Multi-Factor Authentication (MFA)

  • Limit administrative privileges

  • Regularly update and patch systems

  • Monitor and log authentication events

  • Use advanced endpoint protection

PreviousLinux Local Password AttacksNextFiles & Archives Cracking