The double hop problem occurs when we move to a different computer using a network authentication logon type, which mean the credentials are not sent to the target. This will lead to us unable to access resources on the remote host.
This is usually happens because we used WMI or WinRM to perform lateral movement. Because they use network logon type which doesn't store the credentials in the logon session.
Example of lateral movement using WinRM:
PS C:\\Users\\iron> Enter-PSSession -ComputerName Windows02
[Windows02]: PS C:\\Users\\iron\\Documents> net users /domain
The request will be processed at a domain controller for domain iron.local.
net : System error 5 has occurred.
+ CategoryInfo : NotSpecified: (System error 5 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Access is denied.
[Windows02]: PS C:\\Users\\iron\\Documents>
We were unable to access domain resources.
Authenticating using CredSSP
PS C:\\Windows\\system32> Enter-PSSession -ComputerName Windows02 -Authentication Credssp -Credential IR\\iron
[Windows02]: PS C:\\Users\\iron\\Documents> net user /domain
The request will be processed at a domain controller for domain iron.local.
User accounts for \\\\windows01.iron.local
-------------------------------------------------------------------------------
abc Administrator bglocaladmin
Guest iron krbtgt
The command completed successfully.
[Windows02]: PS C:\\Users\\iron\\Documents>
Steal a token - steal the token of a user that points to a non-network logon session.
Inject into a different token - inject into a token with a interactive session.
Create token - Use make_token to create a new logon session that has credentials.