Playing with Hashes and Tickets

Playing with Hashes and Tickets

In a current event I came across an environment where cracking hashes or tickets was not required, or basically impossible, so I started doing my research to keep track on what can we do, when we only have Hashes or Tickets in our possession some are limited to what can be done, but others are more free on what we can achieve so I will work on examples for Windows and Linux Environments.

1.- PtH (Pass the Hash)

Pass the Hash is a credential theft and lateral movement technique in which an attacker can abuse the challenge-and-response nature of NTLM authentication protocol to authenticate as a user with only the NTLM hash of the user’s password. The attacker is thus able to use the compromised account without ever brute-forcing or obtaining the plaintext password.

Administrator Privileges are required on the compromised workstation

Mimiktaz:

Mimikatz is fairly easy to use this will require us to have already obtain Administrator Privileges (or SYSTEM) to dump the hashes and pass them to start using the accounts privileges over the environment.

My focus will be with John as this is an Administrator account on a Remote Workstation

Now if I try to list the C directory of the remote workstation I get what was expected an Access Denied.

Now we will pass the hash with mimikatz

A new CMD window will prompt and we can check our access to the Remote Workstation

Mimikatz is great but now let’s give it a try with Linux

Psexec.py from the impacket toolkit is a python version of PsExec for Linux (there are also a variety of tools that achieve the same result but using different methods wmiexec, smbexec. By using these methods the tools will elevate to a SYSTEM shell because of the way they function (Create a Service and these typically run with High Privileges “SYSTEM”)

2.- SharpNamedPipePTH

(This technique can also be in par with Tokens)

A tool used for authentication via a named pipe for user impersonation. It is based on the Sharp-SMBExec tool, the tool will create a pipe, and pass the hash of the user you are trying to impersonate for authentication this is a great method to execute a binary and use your favorite method to steal or impersonate the token with your favorite C2, in this example I approach it using Cobalt Strike

We will add the username – hash – and binary we are trying to execute and if successful our binary will execute with the token we are trying to impersonate, from here we can inject, steal or any way you would like to approach this situation in my preference I injected a beacon to the process.

Injected:

But there is a limitation, which I understand why the author mentioned in using the tool when a certain user has only access to certain resources that no one else can, but the limitation is that this technique does not allow network authentication, this is still a great technique just be aware of the limitations.

3.- CrackMapExec

A swiss army for pentesting networks, authored by byt3bl33d3r and built using Python, Powershell, and other languages it is meant to be the swiss knife for Networking it is an amazing to compromise AD, capture hashes, pth, execute code, enumeration and more. It’s usage is straight forward when passing the hash.

Here pwned just tells us that the user is a local Administrator on the Workstation it also contains a great feature to Locally Authenticate to the workstation with no parameters CrackMapExec will find the Domain Name and use that for authentication but if we add “–local-auth” we will authenticate locally assuming the user only is a local account and not a domain account.

You can tell the Domain switched to the workstations name and tried to authenticate as a local user, this is something to be aware off as sometimes we have compromised a user but not a Domain User.

4.- Over-Pass-the-Hash

Over Pass the hash is an attack that allows an intruder to authenticate as a user without having access to the user’s password. This is a technique where an attacker uses the NTLM hashes for authentication and bypass the standard authentication step clear text password for login. This technique is a combination of passing the hash and passing the ticket, so it’s called Over Pass the Hash. Allows the creating of Kerberos tickets from NTLM hashes or AES keys that allows access to the resource service that required Kerberos authentication.

I could not duplicate the technique as it seems I am not gaining the same keys that are show in the example.

Example:

Mine:

Please just look at the references below

5.- NTLM Relaying

In this section we will be working with the technique NTLM Relaying, this will replay the NTLM hash to another workstation and execute code, if the user has administrator privileges or permission that allow WRITE access to an SMB Share, also signing has to be disabled you can test this with crackmapexec tool and view the permissions as show below:

So jwinchester has the proper permissions on to the targeted workstation so with this we can use the ntlmrelay technique to upload and execute a beacon. As we are aware John is an Administrator on the ECHO Workstation we can target this machine with ntlmrelay with the “-t” parameter, but I will demonstrate Code Execution and a binary to be execute on the Target workstation we will also remember to enable smb2support as this will not work with today’s network since SMBv1 is pretty old:

Now we wait for the user to try and access our target machine which we can use other methods such as Tainted Shares, ShortCut Links, or any other methods that you are familiar with to capture the Net-NTLM hash. In the following example I just forced it with the user by trying to list a fake share:

When this happens the user sends the NTLM hash and we relay it to another box where the user is a Local Administrator, with this we get Code Execution.

What about a beacon that we hold on our attack box? Will use the “-e” parameter to use this:

We now have a beacon with SYSTEM privileges on the workstation:

6.- PipeServerImpersonate.PS1

Administrator Privileges

Named pipes are nothing new, its an old technology you will find in many operating systems (Unix, Windows,…) to permit asynchronous or synchronous inter-process communication (IPC) on the same computer or on different computers across the network, named pipes are a method for I/O that is great for also executing code to other workstations, Psexec being an example of it.

You can view these easily yourself using PowerShell or pipelist from SysInternals, now let’s try the PowerShell script.

We can see below that by utilizing the script and connecting to the Pipe , we can connect to it directly via CMD just by echoing anything to it.

Now we go back to our host where we see the new notepad process executing but with jwinchesters token.

Now we can inject a beacon to this process and impersonate the user, but this also comes with limitations no Network Access, so be wary of this not being an option to Lateral Move more to access local resources specifically for a user.

7.- Pass the Ticket

In pass the tickets attacks, an attacker is able to extract a Kerberos Ticket Granting Ticket (TGT) from LSASS memory on a system and then use this on another system to request Kerberos service tickets (TGS) to gain access to a network resource.

One primary difference between pass-the-hash and pass-the-ticket, is that Kerberos TGT tickets expire (10 hours by default) whereas NTLM hashes only change when the user changes their password. So a TGT ticket must be used within its lifetime, or it can be renewed for a longer period of time (7 days).

Tools like mimikatz can perform this attack. First let us confirm that we receive an access denied with our current user

Now with Rubeus we can monitor the Network for tickets, we can force a ticket into our current session by authenticating with the user we are trying to compromise (Just a Demo, there might be other methods to achieve this in an active Network). I focused on this target since the user has CIFS privilege’s over Desktop-Delta.

Some other methods to capture the tickets is if you have the credentials and try to start an Interactive Logon-Session

Local Login: Physically Logging in at Your Workstation

runas: Perhaps you are a Low Level Helpdesk who uses /runas to spawn a CMD with DA Account, this will result in a TGT for the DA account be cached in LSSAS

runas /netonly: TGT will appear after running a network command ( \IP\SYSVOL ) or something

PsExec \server -u user -p pwd cmd – PSExec leaves a TGT providing explicit credentials were defined

Remote Desktop (RDP)

By placing Rubeus in Monitor Mode we can capture the tickets

From here passing the ticket is simple with Rubeus

Now let us verify and try our access to the targeted workstation

8.- Evil-WinRM

Another method when holding hashes is to use the PSRemote functionality this allows us to execute code onto a workstation if we have the proper privileges which are usually Administrator when executing remote actions or a sort of special privileges that only a certain user contains.

References:

https://book.hacktricks.xyz/windows/ntlm

7 Likes

Nice article! Especially for internal pentesting and AD beginners like myself :smiley:

4 Likes

This is awesome man!! Who needs a password when you have an NTLM hash?

One thing that might be worth including is popping an RDP session via NTLM. This can be done with xfreerdp:
xfreerdp /u:<username> /pth:<lm:nt hash> /v:<target> /d:<domain>

3 Likes

I think this complements the OSCP documentation perfectly :wink:

3 Likes

No way OSCP has this???. Wow I have not seen there stuff in a while might need to catch up with them. I remember the old OSCP but that was around 4 - 5 years ago maybe they changed.

1 Like