PTH, PTT, Overpth, ptk
Pass-the-Ticket
Harvesting tickets from Linux
Inject ticket into current session
Rubeus
Reference: Experimenting with Kerberos Ticket Formats
Overpass The Hash/Pass The Key (PTK)
Linux
Windows
Obtain encryption key
RC4 algorithm
AES128
AES256
Using Rubeus
Pass-the-hash
Linux
Pass The Hash using crackmapexec or NXC
Since we have the hashes, we can use the hashes directly without the need for cracking them. Use the following command for crackmapexec
Running this will attempt to Pass The Hash to the machines in the network and tell which machine accepted the hash for the specified user.
Here it does not tell Pwned
!
rather we can see a green plus sign (+) which indicates that there’s a good chance that the attack worked. Pwned determines the confirmed success of the attack.
This can further be used in psexec
to gain shell access through the command
This tries to find a writable share and upload a shell to execute it and get a shell. Even though the user “frank castle” is authenticated but it does not have admin access over the shares.
Trying the same command on another machine 192.168.1.5 gives an authentication failure
This is because we are going with local authentication. Frank Castle has access to this machine but as a domain user, not a local user. But if we get local authentication successful on a machine of Domain Controller, we can do much more.
Windows
PtH involved directly authenticating to a host by literally sending the password’s hash to the host during the authentication process, while OPtH is way more subtle as it abuses Kerberos authentication.
Mitigations for Pass The Hash/Password
Preventing completely is hard but some controls can be implemented to make it difficult for attackers. Following are some suggestions to prevent the Pass The Hash/Password attacks
Limit account reuse
Do not reuse the local admin password
Disable Guest and Administrator accounts
Limit who is the local administrator
Utilize strong password
Longer passwords
Do not use common words
Privilege Access Management (PAM) limits Pass The Hash/Password attack as the password/hash is strong and constantly rotated
Check out/in sensitive accounts only when needed
Automatically rotate passwords at each check out and check-in
overPassTheHash
Last updated