https://az0th.it/tags/lateral-movement/ Recent content in Lateral-Movement on MrAzoth Hugo -- 0.154.5 en-us https://az0th.it/ad/kali/lateral-movement/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/kali/lateral-movement/ <h2 id="quick-reference">Quick Reference</h2> <table> <thead> <tr> <th>Technique</th> <th>Tool</th> <th>Auth Type</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>Pass-the-Hash</td> <td>psexec.py, wmiexec.py, nxc</td> <td>NTLM hash</td> <td>No plaintext needed</td> </tr> <tr> <td>Pass-the-Ticket</td> <td>psexec.py -k, wmiexec.py -k</td> <td>Kerberos ccache</td> <td>Set KRB5CCNAME first</td> </tr> <tr> <td>Evil-WinRM</td> <td>evil-winrm</td> <td>Password / Hash / Ticket</td> <td>WinRM port 5985/5986</td> </tr> <tr> <td>WMI Execution</td> <td>wmiexec.py</td> <td>Password / Hash</td> <td>Output shown, less noisy</td> </tr> <tr> <td>DCOM Execution</td> <td>dcomexec.py</td> <td>Password / Hash</td> <td>Multiple COM objects</td> </tr> <tr> <td>RDP PtH</td> <td>xfreerdp /pth</td> <td>NTLM hash</td> <td>Requires Restricted Admin mode</td> </tr> <tr> <td>SMB Exec</td> <td>psexec.py, smbexec.py</td> <td>Password / Hash</td> <td>Different noise levels</td> </tr> <tr> <td>Proxychains</td> <td>proxychains + any tool</td> <td>Any</td> <td>Internal network pivoting</td> </tr> </tbody> </table> <hr> <h2 id="pass-the-hash-pth-from-linux">Pass-the-Hash (PtH) from Linux</h2> <h3 id="concept">Concept</h3> <p>NTLM authentication does not require knowledge of the plaintext password — it only requires the NT hash. The NT hash is the MD4 hash of the Unicode password, and it is used directly in the NTLM challenge-response exchange. A valid NT hash is sufficient to authenticate against any service using NTLM.</p> https://az0th.it/ad/windows/lateral-movement/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/windows/lateral-movement/ <h2 id="quick-reference">Quick Reference</h2> <table> <thead> <tr> <th>Technique</th> <th>Tool</th> <th>Requirement</th> </tr> </thead> <tbody> <tr> <td>Pass-the-Hash (PtH)</td> <td>Mimikatz, Invoke-TheHash, PsExec</td> <td>Local Admin / NTLM hash</td> </tr> <tr> <td>Pass-the-Ticket (PtT)</td> <td>Rubeus, Mimikatz</td> <td>Valid Kerberos ticket (.kirbi / base64)</td> </tr> <tr> <td>Overpass-the-Hash</td> <td>Mimikatz, Rubeus</td> <td>NTLM or AES256 hash</td> </tr> <tr> <td>WMI Exec</td> <td>PowerShell WMI, wmic, SharpWMI</td> <td>Local Admin on target</td> </tr> <tr> <td>DCOM Exec</td> <td>PowerShell COM objects</td> <td>Local Admin / DCOM permissions</td> </tr> <tr> <td>PowerShell Remoting</td> <td>Enter-PSSession, Invoke-Command</td> <td>WinRM enabled, appropriate rights</td> </tr> <tr> <td>PsExec</td> <td>Sysinternals PsExec</td> <td>Local Admin, ADMIN$ writable</td> </tr> <tr> <td>Remote Service</td> <td>sc.exe</td> <td>Local Admin on target</td> </tr> <tr> <td>Scheduled Task</td> <td>schtasks.exe</td> <td>Local Admin / valid credentials</td> </tr> <tr> <td>Token Impersonation</td> <td>Incognito, Invoke-TokenManipulation</td> <td>SeImpersonatePrivilege</td> </tr> <tr> <td>RDP</td> <td>mstsc, tscon</td> <td>RDP enabled, valid credentials or SYSTEM</td> </tr> </tbody> </table> <hr> <h2 id="pass-the-hash-pth">Pass-the-Hash (PtH)</h2> <p>Pass-the-Hash abuses the NTLM authentication protocol by presenting a captured password hash directly instead of the cleartext password. The target authenticates the hash without needing the plaintext credential.</p>