SecuriTreeHome

SecuriTree

  • Windows Security
    • Post-exploitation
      • Network Tunneling
        (Ligolo-ng, Chisel)
      • Reverse Shell
      • System Manipulation
      • File Transfer
    • Lateral Movement
      • Common Problems
        • Double Hop
        • Remote UAC
      • Techniques
        • Access Token Manipulation
          (RunAs, RunasCs)
        • Pass-the-Ticket (Kerberos)
          (Rubeus, getTGT)
      • Technologies
        • MS-RPC
          • MS-DCOM
          • MS-RRP
          • MS-SCMR
            (PsExec, SmbExec, ScExec)
          • MS-TSCH
          • MS-WMI
            (WmiExec)
        • RDP
        • WinRM
          (winrs, PS Remoting)
    • Domain Privesc
      • ACL Abuse
      • AD Delegation Abuse
        • Constrained Delegation
        • Resource-Based Constrained Delegation
        • Unconstrained Delegation
      • AS-Rep Roasting
      • Certificate Service Abuse
      • Credentials Dump
        • DCSync
        • LSASS Memory
        • Local SAM
        • Windows Vault
      • Group Policies
      • Information to steal
        (files, logs, processes, ...)
      • Kerberoasting
      • Local Admin Hunting
      • MSSQL Abuse
      • NTLM Hash Stealing
      • NTLM Relay
      • Password Spraying
      • RDP Hijacking
      • Tasks and Services Abuse
    • Reconnaissance
      • Active Directory
      • DNS
      • LDAP
      • NetBIOS
      • NFS
      • Port Scanning
      • RPC
      • SMB
      • SMTP
      • SNMP
#Windows Security #Lateral Movement #Common Problems #Double Hop

Double Hop Problem and Lateral Movement

Double hop problem is related to the concept of logon type. Not every logon works the same way. Basic Interactive Logon (type 2) occurs when a user physically logs into Windows. When this happens, the credentials (NT hash or Kerberos TGT) are stored in LSASS memory and are used for further authentication to e.g. SMB shares.

However, in case of lateral movement the Network Logon (type 3) occurs most often. For this logon type, the credentials are not passed to the LSASS memory of the target machine. Although the logon occurs (you can execute commands), you can't get further access to e.g. SMB share. There's no cached credentials in the current session. This is the so-called double hop problem.

When double hop problem doesn't occur:

  • RDP connection
  • PowerShell Remoting with CredSSP
  • runas session

Resources

Children

Double Hop