https://az0th.it/tags/pass-the-ticket/ Recent content in Pass-the-Ticket on MrAzoth Hugo -- 0.154.5 en-us https://az0th.it/ad/windows/lateral-movement/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/windows/lateral-movement/ <h2 id="quick-reference">Quick Reference</h2> <table> <thead> <tr> <th>Technique</th> <th>Tool</th> <th>Requirement</th> </tr> </thead> <tbody> <tr> <td>Pass-the-Hash (PtH)</td> <td>Mimikatz, Invoke-TheHash, PsExec</td> <td>Local Admin / NTLM hash</td> </tr> <tr> <td>Pass-the-Ticket (PtT)</td> <td>Rubeus, Mimikatz</td> <td>Valid Kerberos ticket (.kirbi / base64)</td> </tr> <tr> <td>Overpass-the-Hash</td> <td>Mimikatz, Rubeus</td> <td>NTLM or AES256 hash</td> </tr> <tr> <td>WMI Exec</td> <td>PowerShell WMI, wmic, SharpWMI</td> <td>Local Admin on target</td> </tr> <tr> <td>DCOM Exec</td> <td>PowerShell COM objects</td> <td>Local Admin / DCOM permissions</td> </tr> <tr> <td>PowerShell Remoting</td> <td>Enter-PSSession, Invoke-Command</td> <td>WinRM enabled, appropriate rights</td> </tr> <tr> <td>PsExec</td> <td>Sysinternals PsExec</td> <td>Local Admin, ADMIN$ writable</td> </tr> <tr> <td>Remote Service</td> <td>sc.exe</td> <td>Local Admin on target</td> </tr> <tr> <td>Scheduled Task</td> <td>schtasks.exe</td> <td>Local Admin / valid credentials</td> </tr> <tr> <td>Token Impersonation</td> <td>Incognito, Invoke-TokenManipulation</td> <td>SeImpersonatePrivilege</td> </tr> <tr> <td>RDP</td> <td>mstsc, tscon</td> <td>RDP enabled, valid credentials or SYSTEM</td> </tr> </tbody> </table> <hr> <h2 id="pass-the-hash-pth">Pass-the-Hash (PtH)</h2> <p>Pass-the-Hash abuses the NTLM authentication protocol by presenting a captured password hash directly instead of the cleartext password. The target authenticates the hash without needing the plaintext credential.</p>