Lateral-Movement

Quick Reference Technique Tool Auth Type Notes Pass-the-Hash psexec.py, wmiexec.py, nxc NTLM hash No plaintext needed Pass-the-Ticket psexec.py -k, wmiexec.py -k Kerberos ccache Set KRB5CCNAME first Evil-WinRM evil-winrm Password / Hash / Ticket WinRM port 5985/5986 WMI Execution wmiexec.py Password / Hash Output shown, less noisy DCOM Execution dcomexec.py Password / Hash Multiple COM objects RDP PtH xfreerdp /pth NTLM hash Requires Restricted Admin mode SMB Exec psexec.py, smbexec.py Password / Hash Different noise levels Proxychains proxychains + any tool Any Internal network pivoting Pass-the-Hash (PtH) from Linux Concept NTLM authentication does not require knowledge of the plaintext password — it only requires the NT hash. The NT hash is the MD4 hash of the Unicode password, and it is used directly in the NTLM challenge-response exchange. A valid NT hash is sufficient to authenticate against any service using NTLM. ...

Quick Reference Technique Tool Requirement Pass-the-Hash (PtH) Mimikatz, Invoke-TheHash, PsExec Local Admin / NTLM hash Pass-the-Ticket (PtT) Rubeus, Mimikatz Valid Kerberos ticket (.kirbi / base64) Overpass-the-Hash Mimikatz, Rubeus NTLM or AES256 hash WMI Exec PowerShell WMI, wmic, SharpWMI Local Admin on target DCOM Exec PowerShell COM objects Local Admin / DCOM permissions PowerShell Remoting Enter-PSSession, Invoke-Command WinRM enabled, appropriate rights PsExec Sysinternals PsExec Local Admin, ADMIN$ writable Remote Service sc.exe Local Admin on target Scheduled Task schtasks.exe Local Admin / valid credentials Token Impersonation Incognito, Invoke-TokenManipulation SeImpersonatePrivilege RDP mstsc, tscon RDP enabled, valid credentials or SYSTEM Pass-the-Hash (PtH) Pass-the-Hash abuses the NTLM authentication protocol by presenting a captured password hash directly instead of the cleartext password. The target authenticates the hash without needing the plaintext credential. ...