Checklist

Harvesting

  • Dump local credentials

    • Plaintext in memory

    • SAM dump

      • Shadow volume exploit

    • DPAPI

    • Vault

    • LAPS

  • ASREPRoast a remote machine for NTLM hashes

  • Dump NTLM hashes

    • Password to hash conversion

    • PTH

    • Request Kerberos ticket

      • OPTH

        • Try for all users

      • PTT

    • PTK from NTLM

  • Dump Kerberos tickets

    • Silver Key + PTT

    • Kerberoast for plaintext credentials

  • Dump AES keys

    • PTK with AES128/AES256

Lateral Movement

ServicePortTechnique

RDP

3389

Plaintext credentials PTH

SMB

445

Plaintext credentials Silver Ticket

MSSQL

1433

Silver Ticket

PS Remoting/WMIC/RunAs

445

Plaintext credentials PTH PTK

PreviousIntroductionNextEnumeration

Last updated