This table provides a detailed and comprehensive solution for Windows lateral movement cheat sheet, including the technique, description, and command for each technique. The table can be used as a reference for those who want to learn more about Windows lateral movement and how to prevent it.
| Technique | Description | Command |
|---|---|---|
| Lateral Movement Enumeration | Enumerate lateral movement techniques | PowerView, BloodHound |
| Kerberoasting | Exploit Kerberos to obtain TGS tickets | GetUserSPNs, Rubeus |
| AS-REP Roasting | Exploit AS-REP to obtain TGT tickets | GetNPUsers, Rubeus |
| Token Manipulation | Manipulate access tokens to gain privileges | Incognito, Rubeus |
| Lateral Movement with Rubeus | Use Rubeus to move laterally | AskTGT, AskTGS |
| Lateral Movement with Mimikatz | Use Mimikatz to move laterally | Pass-The-Ticket, Pass-The-Hash |
Tables of Contents
Introduction to Lateral Movement Cheat Sheets
What are Lateral Movement Cheat Sheets?
Today, let’s dive into something super important yet often overlooked – lateral movement cheat sheets. Now, what are these, you ask? Imagine them as your roadmap, detailing paths and techniques to navigate the complex network architectures, especially in Windows environments. They are a compendium of strategies and tactics, a blend of art and science, aimed at one thing – enumeration and system penetration.
Imagine a scenario where you’ve just breached the perimeter of a Windows environment, courtesy of an active directory exploitation, but wait – there’s more to conquer. This is where the magic of lateral movement cheat sheets comes into play.
For instance, the Active Directory Exploitation Cheat Sheet available on platforms like GitHub is a treasure trove of commands, scripts, and methodologies. It’s akin to a magical book, leading the wielder through the intricate corridors of Windows security, laying bare secrets embedded deep within systems.
Why are they Important for Windows Security?
If I had a dime for every time someone underestimated the power of enumeration in a Windows environment, I’d be sailing in the Bahamas right now. But jokes aside, these cheat sheets are gold. They arm you with the knowledge needed to meticulously enumerate, identify, and exploit vulnerabilities in systems. It’s like being a detective and a wizard at the same time, finding and exploiting (responsibly, of course) every nook and cranny.
One of the big bad wolves in Windows security is the Kerberos, a network authentication protocol designed to provide strong authentication for user and machine accounts. However, it’s not immune to exploitation. E.g., tools like Rubeus have made it simpler to request TGS tickets, aiding in SPN enumeration and consequently unearthing juicy information about service accounts.
Now, combine this with the almighty power of constrained delegation and unconstrained delegation. The former, e.g., allows a service to impersonate users and authenticate to other services on their behalf, while the latter is like handing over the keys to the kingdom, allowing services to impersonate users to any service. Scary, isn’t it?
How Can They Help with Post-Exploitation?
Post-exploitation is like the dessert after a great meal – it’s where you reap the rewards of all the hard work. After initial access, the next steps are all about digging deeper, getting that sweet, sweet privilege escalation, and achieving domain dominance. In the world of Windows, this is where terms like domain admin and local admin become your bread and butter.
Using tools like Mimikatz and PowerView, you can dump LSASS memory to obtain plaintext passwords, NTLM hashes, and Kerberos tickets. Ever heard of pass-the-hash or pass-the-ticket attacks? Yep, that’s what we’re talking about here. You get to use these stolen credentials to authenticate and potentially elevate your privileges within the network.
Let’s take a simple example. Say, you’re on a compromised Windows machine and need to elevate your privileges. You use Mimikatz to dump the LSASS process and voila – you have the NTLM hash of an account. Now, it’s party time! You can use this hash to move laterally, access domain services, and impersonate users.
Another star player in the post-exploitation game is DCSync. It impersonates the domain controller and requests password data from the targeted machine account. Talk about being a wolf in sheep’s clothing!
Post Exploitation with Lateral Movement Techniques
| Term | Explanation/Use Case |
|---|---|
| Kerberos Ticket | Used to encrypt and authenticate users and services |
| Rubeus | A tool to interact with Kerberos tickets |
| SPN | Service Principal Name used for service instances |
| Machine Account | Accounts representing machine on the network |
| Domain Controller | A server managing security, users, groups, etc. |
| DCSync | A technique to pull password hashes from AD |
| Constrained Delegation | Allows a service to impersonate users |
| Unconstrained Delegation | Gives broader impersonation privileges |
| Using Mimikatz | To extract credentials from memory |
| NTLM Hash | A hash of the user’s password |
| Privilege Escalation | Increasing the level of access/privileges |
| Group Policy | Policies managing user and machine settings |
| Forest Trust | Trust between different AD forests |
| Dump LSASS | Extracting credentials from LSASS process |
| Enumeration | The process of extracting information about a network |
So next time you hear about a machine account or Kerberos, remember – these aren’t just jargon. They are keys to a vast, intricate world that is a Windows network. The right knowledge, e.g., lateral movement cheat sheets and tools like Rubeus, SPN, and DCSync, can turn these jargons into stepping stones, leading you from a mere local admin to the grandeur of domain admin.
But remember, with great power comes great responsibility. Happy (ethical) hacking!
Active Directory Lateral Movement Cheat Sheet
Overview of Active Directory Lateral Movement
Lateral movement within Active Directory (AD) is akin to a dance through a network, a meticulous journey where each step is critical. Imagine finding yourself in a vast library. You have access to a limited section, but beyond your reach lies a trove of information (i.e., binary data, databases, and user accounts). That’s somewhat similar to the challenge in Active Directory. You’re inside, but you want more, and lateral movement is the key.
Techniques for Exploiting Active Directory
Active Directory can be perceived as a treasure trove filled with informational jewels. One of those jewels is binary data. With binary at hand, exploiting Active Directory becomes a piece of cake.
One common technique involves using PowerView. It’s a tool, no, a wand, that unveils the mystical realms of AD. With it, you can wave hello to the network’s secrets and gather crucial data. Using PowerView thrice or even seven times isn’t unusual in this enchanted journey. It allows us to perform domain enumeration efficiently.
A trust key is another magical element in this journey. It’s not just a key; it’s a skeleton key, opening numerous locks, revealing hidden passageways within the AD realms. Trust keys and trust relationships build an implicit trust relationship, allowing entry into domains that were once considered inaccessible.
The sacred texts, or shall I say, the msds-allowedtoactonbehalfofotheridentity attribute, can be a game changer. It’s not a spell from an arcane book but a feature that allows one entity to represent another. It’s delegation, but not the mundane corporate type. Here, you’re almost like a shape-shifter, taking forms, accessing realms, all on behalf of the user.
Remember, SID history is like your ancestral lineage engraved in the annals of AD. It’s not just a history; it’s an identity, a past, a presence that can be invoked to claim privileges, to become more than what you are, or were.
While write permissions can sometimes be overlooked, having them is like owning a wizard’s quill. With it, you can rewrite reality, change attributes, and set conditions (permissions to set useraccountcontrol flags, for instance) that transform the ordinary user into extraordinary beings with powers that can manipulate the very fabric of AD.
Table for Exploiting Techniques:
| Technique | Description |
|---|---|
| Using PowerView | A tool for unveiling AD’s secrets |
| Trust Key | A skeleton key for opening numerous locks |
| SID History | An identity lineage for claiming privileges |
| Write Permissions | A wizard’s quill to rewrite AD reality |
| MSDS-AllowedToActOnBehalfOfOtherIdentity | A feature for delegation and shape-shifting |
How to Use the Cheat Sheet for Active Directory
Now that you’re equipped with arcane knowledge and magical tools, it’s time to delve into the cheat sheet. Consider this your map through the AD wilderness, a guide inscribed with incantations and paths that twist and turn through the binary forests and database mountains of the AD landscape.
Firstly, grasp PTT (Pass The Ticket) like a sorcerer’s stone. Every touch is a conduit of power, a means to pass this ticket, opening doorways and unveiling secrets. With PTT, even a compromised target system isn’t the end, but a beginning of another clandestine journey.
With database links, consider them akin to mystical bridges. Each link a pathway, a connection to another realm within the AD universe. They’re not just technical jargon but lifelines that weave through the binary constellations of AD.
Never underestimate the power of the masterkey. It’s not a myth, but a reality. A key that doesn’t just unlock, but unveils, decrypts and lays bare the AD’s concealed treasures. But remember, with great power comes…well, you know the rest.
As you venture deeper using this cheat sheet, invoking tools like Invoke-Mimikatz or SafetyKatz, you’re not just executing commands; you’re conjuring powers, tapping into the very soul of AD to extract and exploit.
Remember, this cheat sheet isn’t a rigid scroll. It’s alive, pulsating with RPC (Remote Procedure Call) that’s not just a protocol, but a summoning, a call to the distant, the remote, making the inaccessible, accessible.
Table for Cheat Sheet Usage:
| Tool/Technique | Purpose | Essence |
|---|---|---|
| PTT | Opens doorways and unveils AD secrets | Magical Conduit |
| Database Links | Pathways connecting realms within AD | Mystical Bridges |
| Masterkey | Unlocks and unveils AD’s concealed treasures | Supreme Power |
| Invoke-Mimikatz/SafetyKatz | Extracts and exploits AD’s soul | Conjuring Powers |
| RPC | Makes the inaccessible, accessible | Summoning Call |
Embrace this cheat sheet like a magical grimoire. Every line, a spell; every technique, an incantation; weaving through the AD realms with the grace of a wizard, the stealth of a rogue, and the wisdom of a sage.
Armed with this knowledge, not just as words but as potent spells, the AD realms aren’t just technical domains but mystical landscapes awaiting your exploration. Every binary data point, every trust key, and SID history isn’t a term but a magical entity, a companion in this enchanted journey.
And as you traverse this path, remember, in the world of AD, you’re not just an administrator; you’re a wizard, a guardian, and perhaps, a conqueror. Every GPO (Group Policy Object), every RPC, isn’t a tool, but a wand, casting spells that weave security, invoke powers, and dictate the very laws of the AD universe.
In this journey, remember, every step is a dance, a meticulous ballet through the binary forests, database mountains, and user account rivers of AD. Each using PowerView invocation, every trust key turn, isn’t a technical act, but a magical dance, a rhythm that echoes through the silent corridors, the hidden chambers, and the forbidden realms of Active Directory.
And with that, esteemed seeker of AD secrets, may your journey be filled with discoveries, your paths illuminated with knowledge, and every binary data, a magical glyph; every trust key, a talisman; and every SID history, a sacred text, guiding your steps through the enchanted landscapes of Active Directory.
Remember, in AD, you’re not walking a path; you’re weaving a spell, echoing a chant, and dancing a mystical dance that doesn’t just access, but summons, unveils, and conquers the hidden, the forbidden, and the mystical within the binary realms of Active Directory.
Command Reference Cheat Sheet
Overview of Common Commands for Lateral Movement
Navigating through a network often involves the necessity of lateral movement – that is, moving from one system to another to access resources, gather further information, or achieve other objectives. You might encounter situations where you need to use the NTLM hash to authenticate and progress. Now, I know these terms can be a little confusing, so let’s break them down with real-life examples.
Imagine you’re a detective, and you’re trying to gather clues. Each system or network is like a different room with potential evidence. The NTLM hash is akin to having the right key to open certain doors (or in technical jargon, authenticate your access). But remember, you can’t just go opening every door willy-nilly. You need to know which doors to open and how to do it without alerting anyone. That’s where these commands come in handy!
Here are some commands that are practically your detective toolkit:
- ✅ Requesting Valid Tickets: To access certain rooms, or rather, systems, sometimes you need a special pass. In our world, that’s akin to using an account to request a valid TGT (Ticket Granting Ticket). It’s a bit like needing a warrant to search a property.
- ✅ Permissions and Flags: Think of acl write permissions to set like having the authority to search different areas of a property. They need to be specific; you can’t just rummage through everything. Also, there are these things called useraccountcontrol flags for the target user and flags for the target user which dictate what areas (systems) and information you can access and modify. It’s like having restrictions on your warrant.
- ✅ Post-Exploitation: After gaining access, privesc or post-exploitation is like finding additional clues or pathways to other rooms. But always be cautious; not every room (system) is meant to be ventured into without the right permissions.
Here’s a little table to put it into perspective:
| Command/Action | Detective Analogy | Technical Explanation |
|---|---|---|
| Request a valid TGT | Obtaining a Warrant | Used to authenticate and access a system. |
| ACL write permissions to set | Search Authority | Determines where and what you can access and modify. |
| Useraccountcontrol flags for the target user | Warrant Restrictions | Indicates the level of access and modification allowed. |
How to Use the Cheat Sheet for Command Reference
Every detective needs their toolkit organized and ready to go. In the cyber world, having a cheat sheet is akin to having a well-packed kit. The list of commands and actions, like lsadump or dcsync, are your tools, each serving a specific purpose. It’s crucial to include all functionality, i.e., knowing what each tool (command) is capable of.
Think of it like this: If you were to forge a ticket (not that we’re encouraging any illegal activities here!), it would be akin to creating a master key to access different rooms (systems) within a building (network). Since a forest is like a collection of different buildings, each with their own sets of rooms, knowing how to navigate is crucial.
Here’s a little tip: remember variables etc. They are like the little notes that detectives keep – specific details about each case (or in our case, each network or system). It’s how you remember the intricate details and peculiarities of each “case.”
But be warned, some areas like the DC (Domain Controller) should be approached with caution. If you find that a dc is vulnerable, it’s like discovering an unlocked door – enticing but potentially dangerous. Attacks against RBCD (Resource-Based Constrained Delegation) are common, and even OS commands can sometimes be used against you.
Examples of Commands for Different Scenarios
Now let’s delve into some juicy examples. You’ve got your detective hat on, and you’re ready to explore, but remember, every building (network) is different, and you need to adapt accordingly.
- ✅ Gathering Information: Imagine you’re stepping into a new case, and you need to assess the scene. In the cyber world, that’s akin to adding the sid to gather specific user and frontend system information. It’s like taking photos of the crime scene for later analysis.
- ✅ Advanced Maneuvers: In some scenarios, particularly sensitive or complex ones, you may need to dump the tgts (i.e., extract Ticket Granting Tickets). It’s like finding a hidden stash of keys – each one potentially opening up new paths of investigation.
- ✅ The Domain Controller (DC): Every detective story has that one room where all the secrets lie. In our world, that’s the DC. But remember, dc should come with a warning label. It’s not just about finding it; it’s about knowing how to navigate it. Trusted for delegation is key here; it’s like having the trust of the chief – access but with accountability.
Here’s another quick table for easy reference:
| Scenario | Command Example | Real-Life Analogy |
|---|---|---|
| Gathering Information | Adding the SID | Taking photos at the crime scene. |
| Advanced Maneuvers | Dump the TGTs | Finding a hidden stash of keys. |
| The DC | Trusted for Delegation | Having the trust of the chief. |
Navigating through different systems and networks is a delicate dance. Always be mindful of your actions, and remember – every command is a tool, and like any good detective, knowing when and how to use each tool is the key to cracking the case. Keep this cheat sheet handy, adapt to each new “case,” and happy sleuthing!
Red Team Cheat Sheet
Overview of Red Teaming
Red teaming, my friend, is akin to a simulated attack on an organization’s security posture, conducted in a controlled environment. This approach is a powerful way to gain insights into the vulnerabilities and weaknesses within a system, network, or application that might be exploited by malicious actors. If you’ve ever watched a heist movie, think of red teaming like the practice run the thieves do to ensure their plan is foolproof – but in this case, it’s all legal and for a good cause!
In this dance of attack and defense, there’s another team – the blue team. They’re the defenders, the guardians of the castle. While the blue team fortifies and defends, the red team prods, pokes, and tries to find a way in. It’s a dance as old as time, or at least as old as computer networks.
Red teaming employs a set of techniques designed to mimic the strategies, tactics, and procedures of real-world attackers. This isn’t about randomly poking at firewalls and hoping for the best. It’s calculated, it’s strategic, and it employs various sophisticated techniques to get the job done.
Techniques for Red Teaming
So, what’s in the red team’s arsenal? Well, a variety of tools and tactics that can make even the strongest fortresses (or networks, in our case) quake in their boots if not properly defended.
- 📛 Phishing Attacks: These are your covert ops, stealth missions where malicious emails are the weapon of choice. They look innocent, but with one click, it’s game on.
- 📛 Password Attacks: Ever tried a bunch of keys on a locked door hoping one would work? That’s kind of what password attacks are like. The red team tries to guess, crack, or bypass password protections to gain unauthorized access.
- 📛 Physical Security Breaches: Sometimes, the old ways are the best. Physical intrusions can involve an attacker (in a legal, simulated context, of course) trying to gain direct access to secure areas or systems.
- 📛 Network Vulnerability Exploitation: This is where the magic of software meets the art of attack. The red team seeks out vulnerable spots in a network’s armor to exploit, giving them access or control.
Now, here’s where it gets juicy. Let’s say the red team wants to elevate their privileges but they can’t become DA (Domain Administrator) because the blue team has fortified the defenses well. What do they do? They look for other opportunities, other vulnerabilities. This could involve trying to compromise the target forest’s DC (Domain Controller) or seeking out other systems that might be easier to exploit.
Additionally, while on their quests, red teamers also automatically look for unsecured data, misconfigurations, or any low-hanging fruits that could provide them easy access or valuable information.
How to Use the Cheat Sheet for Red Teaming
So you’ve got the basics down. But how do you maneuver through this complex and intricate world of red teaming without getting lost? Enter, the cheat sheet, a concise set of notes or a guide, if you will, highly recommended from medium to advanced red teamers. This isn’t your average ‘how-to’ guide; it’s a compass that navigates through the multifaceted landscape of cybersecurity.
Here’s what you need to keep in mind:
- ✅ Understand the Techniques: Each tactic or strategy listed isn’t just a name. It’s an entity of its own, with its own strengths, weaknesses, and quirks. So delve into each, understand it, live it.
- ✅ Legal and Ethical Boundaries: Remember, with great power comes great responsibility. Always ensure your activities are within legal and ethical boundaries. No crossing the lines.
- ✅ Real-World Applications: Each technique can be visualized in real-world scenarios. For instance, imagine a phishing attack being like those strangers offering free candy – it looks tempting, but there’s danger lurking beneath.
To delve into an example, let’s use password attacks. We aren’t just talking about someone sitting and guessing passwords. It’s more sophisticated, using tools and algorithms to speed up the process, much like a locksmith picking a lock – but again, all legal and ethical.
In this intricate dance, each step, each move is a learning process. This cheat sheet isn’t just a guide; it’s your companion in this journey. It’s a blend of art and science, of attack and defense, of learning and doing.
So, as you step into the world of red teaming, keep this cheat sheet close. It’s your map through the intricate, challenging, but ultimately rewarding world of cybersecurity. Every term, every technique, is a piece of the puzzle, a step in the dance, an integral part of the journey. And remember, it’s not just about the attack; it’s about learning, growing, and fortifying against future threats. Happy red teaming!
