pass

4. Pass the key aka Overpass The Hash use user’s NTLM hash to request Kerberos tickets as alternative to Pass The Hash over NTLM protocol requires: a system where NTLM authentication is disabled and only Kerberos authentication is allowed NTLM hash or password of target user results in access to service/machine which target user has permissions to (get shell) Tools: impacket’s getTGT.py & psexec.py (Linux), Rubeus (Windows) Linux getTGT.py DOMAIN/USERNAME -dc-ip $IP -hashes :NTHASH export KRB5CCNAME=USERNAME....

5. Pass the ticket similar to Pass The Key steals ticket instead of requesting ticket via known hash in Linux, tickets are stored in credential caches (ccache) 3 main locations: files, /tmp/krb5cc_%{uid} (default) Kernel Keyrings - specail space in Linux kernel for storing keys process memory - used when only one process needs to use the ticket in Windows, tickets are handled and stored by the LSASS (Local Security Authority Subsystem Service) process responsible for security....