Skip to content

Privilege Escalation

Compromise local admin

Pass the Hash

Once you have the hash of a user, you can use it to impersonate it. You need to use some tool that will perform the NTLM authentication using that hash, or you could create a new sessionlogon and inject that hash inside the LSASS, so when any NTLM authentication is performed, that hash will be used. The last option is what mimikatz does.

Over Pass the Hash/Pass the Key

This attack aims to use the user NTLM hash to request Kerberos tickets, as an alternative to the common Pass The Hash over NTLM protocol. Therefore, this could be especially useful in networks where NTLM protocol is disabled and only Kerberos is allowed as authentication protocol.

Pass the Ticket

This attack is similar to Pass the Key, but instead of using hashes to request a ticket, the ticket itself is stolen and used to authenticate as its owner.

ACLs Abuse

The compromised user could have some interesting privileges over some domain objects that could let you move laterally/escalate privileges.

Attacking Domain Trusts