RFC - Offensive Security Notes
  • Active Directory
    • Enumeration
      • Active Directory Module
        • Enumerating the Domain
        • Enumerating ACLs
      • PowerView 3.0
      • Verify connectivity to domain controller
      • WMI domain enumeration through root\directory\ldap
      • PAM Trust
      • DNS discovery
        • Get-DnsServerZone
    • Privilege Escalation
      • Kerberos Delegation
        • Unconstrained delegation
        • Constrained delegation
        • Resource-based Constrained Delegation
      • Escalating from child to parent domain
      • Abusing inter-forest trust
      • WSUS server abuse
      • ACL Enumeration with PowerView 2.0
    • Persistence
      • Kerberos attacks
        • Golden ticket
        • Silver ticket
      • DSRM (Directory Services Restore Mode)
  • Initial Access
    • VBA Macros
      • Mark-of-the-Web
  • Discovery
    • Juicy files
      • PowerShell history
    • Network Enumeration
      • Network discovery scans
        • Ping scan
      • Nmap
      • Perimeter firewall scanning for open outbound ports
  • Execution
    • WMI
      • Remote code execution using WMI
    • PowerShell
      • C# assembly in PowerShell
        • List load assembly
        • Add-Type
        • UnsafeNativeMethods
        • DelegateType Reflection
        • Reflective Load
    • C# .Net Assembly
      • Process injection
        • Debugging
        • Using VirtualAllocEx and WriteProcessMemory
        • Using NTAPI Undocumented Functions
    • ReverseShells
      • Linux
        • Stabilizing zsh shell
    • Metasploit
      • HTTPs Meterpreter
  • Exploitation
    • Win32 APIs
      • OpenProcess
      • VirtualAllocEx
      • WriteProcessMemory
      • CreateRemoteThread
  • Credential Access
    • Microsoft Windows
      • Windows credential audit and logon types
      • Local credentials (SAM and LSA)
      • Lsass from forensics dump
      • Access Tokens
        • SeImpersonatePrivilege
      • ntds.dit
        • Dumping the contents of ntds.dit files using PowerShell
      • Mimikatz
      • LAPS
  • Lateral Movement
    • Windows Lateral Movement
      • Remote Desktop Protocol (RDP)
      • PowerShell Remoting (PS Remote)
        • Kerberos double hoping
      • Windows Task Scheduler
    • Linux Lateral Movement
  • Persistence
  • Defence Evasion
    • Antimalware Scan Interface (AMSI)
      • Debugging AMSI with Frida
      • PowerShell Bypasses
      • JS/VBA Bypasses
    • PowerShell
      • PowerShell version 2
      • Constrained Language Mode
      • Just Enough Administration (JEA)
      • ScriptBlockLogging
    • Microsoft Defender
    • Anti-virus evasion
      • Evasion and bypassing detection within C#
        • Encryptors
          • Aes encryptor
        • Sandbox evasion
          • Time accelerated checks
    • AppLocker
      • InstallUtil
      • MsBuild
  • Network Pivoting
    • Proxies and port fowarding
      • SSH
      • Metasploit
      • Socat
      • SSH Shuttle
      • Windows netsh command
    • Network discovery and scanning
  • Exfiltration
    • Windows
      • Copy files over SMB
  • Services
    • MS SQL Server
      • Enumeration
      • UNC Path Injection
      • Privilege Escalation
      • Linked Servers
      • SQL Injection
  • Misc
    • CrackMapExec
    • Cheat sheets
  • Cloud
    • Azure
      • Authentication
      • Enumeration
        • AzureHound
        • Az.Powershell
        • Microsoft Graph PowerShell
      • Initial Access
        • Device Code Phishing
        • Family-Of-Client-Ids - FOCI
        • JWT Assertion
Powered by GitBook
On this page
  • Overview
  • Examples to bypass
  • Set up new PowerShell session configurations
  • Deleting the session configuration
  • References
  1. Lateral Movement
  2. Windows Lateral Movement
  3. PowerShell Remoting (PS Remote)

Kerberos double hoping

Overview

Kerberos double hopping can be an issue with PowerShell remoting in Windows domains, especially when using remote sessions to access resources on multiple servers.

When using PowerShell remoting, a user's credentials are passed from their computer to the remote server to authenticate the remote session. However, if the user's computer is not configured to allow delegation of credentials, the Kerberos ticket used to authenticate the remote session will only be valid for the remote server, and not for any other servers that the user may access during the session.

This means that if the user attempts to access a resource on a third server during the remote session, their computer will need to request a new Kerberos ticket for that server, and this can result in a double hopping scenario if the user's computer is not configured for delegation of credentials.

Examples to bypass

Set up new PowerShell session configurations

In this example, we will work on server named SRV01 and create a new session configuration on this machine using Register-PSSessionConfiguration cmdlet. This command creates a new session configuration on the remote computer, when connected, forces it to always run with the credentials provided. 

Invoke-Command -ComputerName SRV1 -ScriptBlock { Register-PSSessionConfiguration -Name KerbHopping -RunAsCredential 'domain\mydomainaccount' -Force }

We will need to specify the configuration to use when running our commands.

Invoke-Command -ComputerName 'SRV1' -ScriptBlock { Get-ChildItem -Path \\SRV2\c$ } -ConfigurationName KerbHopping

Automatically invoke the configuration name.

To automatically invoke the configuration name and avoiding for us to retype it everytime we can use the $PSDefaultParameterValues env variable.

$PSDefaultParameterValues = @{'Invoke-Command:ConfigurationName'='KerbHopping'}

Deleting the session configuration

To clean up you can delete the session configuration. 

Invoke-Command -ComputerName <Hop1PC> -ScriptBlock { Unregister-PSSessionConfiguration -Name "KerbHopping" -Force }

References

PreviousPowerShell Remoting (PS Remote)NextWindows Task Scheduler

Last updated 2 years ago

How to avoid the double-hop problem with PowerShell | TechTargetSearchWindowsServer
Logo