Impersonation

When credentials are found (through dumping or cracking for instance), attackers try to use them to obtain access to new resources. Depending on the harvested credential material type, the impersonation can be done in different ways.

LM or NT password hash: pass-the-hash
RC4 Kerberos key (i.e. NT hash): overpass-the-hash
non-RC4 Kerberos key (i.e. DES or AES): pass-the-key (alias for overpass-the-hash)
Kerberos ticket: pass-the-ticket
plaintext password: the techniques listed below

RunAs is a standard Windows command that allows to execute a program under a different user account. When stuffing an Active Directory account's password, the /netonly flag must be set to indicate the credentials are to be used for remote access only.

bash

runas /netonly /user:$DOMAIN\$USER "powershell.exe"

Since the password cannot be supplied as an argument, the session must be interactive.

SharpLdapWhoami can then be used to make sure the user is correctly impersonated. A standard whoami command will only return the local user rights, not the users impersonated during remote operations (like LDAP queries to the DC).

powershell

.\SharpLdapWhoami.exe
.\SharpLdapWhoami.exe /method:kerberos /all

Reconnaissance

Movement

Credentials

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Netlogon

Certificate Services (AD-CS)

SCCM / MECM

Exchange services

Print Spooler Service

Schannel

Built-ins & settings

Kerberos

Certificate Services (AD-CS)

HTTP security headers

Identity and Access Management

File inclusion

LFI to RCE

Initial access (protocols)

Windows

UNIX-like

(AV) Anti-Virus

Mifare Classic

Android

Impersonation

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Certificate Services (AD-CS)

SCCM / MECM

Certificate Services (AD-CS)

HTTP security headers

File inclusion

LFI to RCE

Windows

UNIX-like

Mifare Classic

Impersonation ​

Impersonation