(infosec thread) one of my latest tweets was followed by some questions in my DMs. So let's answer those here and remind some concepts😈
I'll talk about pass-the-hash, pass-the-ticket, pass-the-key, overpass-the-hash, pass-the-cache, silver and golden tickets 👇
I'll talk about pass-the-hash, pass-the-ticket, pass-the-key, overpass-the-hash, pass-the-cache, silver and golden tickets 👇
Pass-the-Hash (1/4) : NTLM (LM, LMv2, NTLM or NTLMv2 depending on the version) is an authentication protocol used by Windows and AD-DS. Users have passwords, which are stored in a hashed format (LM or NT hash depending on the security settings and version).
Pass-the-Hash (2/4) : when authenticating to a remote service, the password hash is used to compute a ChallengeResponse. The LM hash is used for the LM version of the protocol while the NT hash is used for LMv2, NTLM and NTLMv2.
Pass-the-Hash (3/4) : since the password hash is used as-is, the knowledge of the password isn't required to authenticate. Only the knowledge of the LM or NT hash is needed. Using one of those hashes to authenticate is called "Pass-the-Hash"
Pass-the-Hash (4/4) : you have further questions, read thehacker.recipes/active-directo… and thehacker.recipes/active-directo…. Still have questions? You can DM or comment
Pass-the-Ticket (1/3) : Kerberos is another authentication protocol. It works with tickets and can only work for domain users (while NTLM can be used to authenticate a local user to a remote service). This one is pretty straight forward.
Pass-the-Ticket (2/3) : when attackers find Kerberos tickets that are not expired, they can use them to authenticate to remote services. That is called Pass-the-Ticket.
Pass-the-Ticket (3/3) : want to learn more about this? Read thehacker.recipes/active-directo…
Pass-the-Cache (1/1) : it's the same thing. Instead of using tickets from, or found on, Windows machines, this technique is about using tickets from, or found on, UNIX-like systems, but the principle is the same.
Pass-the-Key (1/3) : when requesting Kerberos tickets, knowledge of a shared key is needed. 4 types of keys exist : DES, RC4, AES-128 and AES-256.
Pass-the-Key (2/3) : when an attacker knows one of those keys, if the corresponding type is accepted by the KDC (Key Distribution Center, a service usually hosted on the Domain Controller), tickets can be obtained, hence allowing for Kerberos authentication to remote services.
Overpass-the-Hash (1/3) : this is the exact same thing as Pass-the-Key. The subtle difference is that RC4 Kerberos keys are actually the NT hashes of the users. And god knows how easier it is to come accross NT hashes than DES or AES Kerberos keys.
Overpass-the-Hash (2/3) : this technique is the equivalent of Pass-the-Hash, but for Kerberos. Attackers can use a user's NT hash to obtain Kerberos tickets and authenticate, without requiring the knowledge of the password.
Pass-the-Key (3/3) and Overpass-the-Hash (3/3) : want to learn more about this? Read thehacker.recipes/active-directo…
Silver Ticket (1/5) : Kerberos tickets embed a set of information that the remote service unpack and read to decide if the requesting user can have access or not. This decision is not up to the Domain Controller.
Silver Ticket (2/5) : These information are stored in a PAC (Privilege Authentication Certificate). In order to prevent users from modifying the PAC, and to allow the remote service to decrypt it, the PAC is encrypted with the remote service account's Kerberos key.
Silver Ticket (3/5) : When the RC4 etype is not disabled, the sevice account's RC4 key (NT hash) can then be used by an attacker to modify the PAC and create a Kerberos service ticket giving full access to the service.
Silver Ticket (4/5) : Nota Bene: computer accounts NT hashes could then be used to obtain admin access to computers.
Golden Ticket (1/6) : Kerberos service tickets are used to authenticate to remote services. A service ticket (TGS) can be obtained from the KDC when supplying an initial ticket (TGT). The PAC included in service tickets (TGSs) are just a copy-paste of the one included in the TGT.
Golden Ticket (2/6) : The PAC included in needs to be trusted and shouldn't be edited by anyone except the Kerberos service ticket (krbtgt). So the PAC is encrypted with the krbtgt account's Kerberos key.
Golden Ticket (3/6) : an attacker knowing a krbtgt account's key can then forge a TGT with an arbitrary PAC saying he's a Domain Admin for example. The PAC will be passed to the TGS and the attacker will have admin access to everything.
Golden Ticket (4/6) : however, this technique requires knowledge of the krbtgt key, which can usually only be obtained with a DCSync of when decrypting the NTDS.dit info. And this can only be done with Domain Admin rights or with admin access to a Domain Controller
Golden Ticket (5/6) : this technique is more of a persistence technique rather than a lateral movement/privilege escalation one.
Silver Ticket (5/5) and Golden Ticket (6/6) : want to learn more about forged ticket? Read thehacker.recipes/active-directo…
[end of thread] did I make mistakes? Do you have questions? do you want to add something? Comments and DMs are more than welcome 🤗
• • •
Missing some Tweet in this thread? You can try to
force a refresh
